It seems the new OpenSSL bug isn’t as severe as they were initially thinking. Still, I’d like to check if any of my apps are using vulnerable versions (3.0.0-3.0.6), since I have a lot of them and some haven’t been updated in a while. (I know that’s not great but using Google Play seems like a worse idea)
Is there any simple way to check this on a rooted phone? So far I’ve ruled out Termux (uses OpenSSL 1.x).
Doesn’t that mean that, while you might not be affected by the vulnerability above, you are affected by dozens of other vulnerabilities discovered earlier? I wouldn’t call this “good news”.
Probably yeah, but there’s not much I can do about it without wasting another 500-1k$ to buy something that’s going to be equally wide open in a couple of years. It’s also not something I became aware of today, I’m not qualifying it as news.
Besides, I rely a lot on my fairly savage firewall setup and I’m not convinced a newer Android would improve my security without sacrificing privacy in that regard.
Hmm, apparently the NDK cannot link dynamically against the system’s SSL stack, so apps with native code might ship their own SSL stack. There is also the stack shipped through Google Play Services, but F-Droid apps cannot use it because of non-free dependencies. Additionally, apps can also ship their own stack (AntennaPod’s F-Droid version does that, for example). In general, though, I would assume most apps simply use the system’s default stack.