Skip to content
This repository has been archived by the owner on Aug 24, 2023. It is now read-only.

bherbst/OpenSSL-Checker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits

app-test

app-test

 
 

gradle/wrapper

gradle/wrapper

 
 

lib-test

lib-test

 
 

openssl-checker

openssl-checker

 
 

openssl-lib-1.0.1c

openssl-lib-1.0.1c

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

settings.gradle

settings.gradle

 
 

Repository files navigation

OpenSSL Vulnerabilty Checker

Build Status Coverage Status

A Gradle plugin for checking whether an .apk or an .aar contains OpenSSL versions with known vulnerabilities.

Google automatically scans the APKs you upload to the Play Store for versions of OpenSSL that contain known vulnerabilities. If it detects a vulnerable OpenSSL version, your app will be rejected. You can find more information on addressing these vulnerabilities in your application here.

Usage

In your project's root build.gradle:

buildscript {
    repositories {
        // jCenter() or mavenCentral()
    }

    dependencies {
        classpath 'com.bryanherbst.openssl-checker:openssl-checker:1.0.0'
    }
}

In your app/build.gradle:

apply plugin: 'android'
//...
apply plugin: 'com.bryanherbst.openssl-checker'

Then run ./gradlew check[variantName]OpenSSL. For example, ./gradlew checkDebugOpenSsl. This task will fail if a vulnerable version is found.

Note: This plugin currently only works on Unix machines, as it runs a shell command to analyze your build's output file. Contributions to get it working on Windows are welcome!

Sample output

Found OpenSSL version 1.0.0m in:
        - /Users/username/bad-library/openssl-1.0.0m
:app:checkDebugOpenSsl FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:checkDebugOpenSSL'.
> OpenSSL 1.0.0m detected and contains known vulnerabilities

Source attribution

When possible, this plugin will attempt to tell you where a vulnerable Open SSL version came from. This relies on the fact that when someone builds Open SSL, the path at which they built it is often left in the built .so files.

For example, if you see this:

Found OpenSSL version 1.0.0m in:
        - /Users/username/bad-library/openssl-1.0.0m

You can assume pretty reasonably that "bad-library" is to blame for the bad version of Open SSL.

If the source is "unknown," we couldn't find a file path that looked like an Open SSL file path, so we couldn't make any recommendations as to who might be at fault.

Vulnerabilities detected

This plugin works by unzipping your apk/aar and checking for references to insecure OpenSSL versions.

Currently only versions released after 1.0.2f and 1.0.1r are considered secure, which matches what Google currently considers secure for Android applications.

You can achieve similar results by running unzip -p your-app.apk | strings | grep "OpenSSL".

About

A Gradle plugin for checking whether an .apk or an .aar contains OpenSSL versions with known vulnerabilities

Topics

android security gradle gradle-plugin

Resources

Readme

License

Apache-2.0 license
Activity

Stars

11 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 1

0.1.0 Latest
Oct 11, 2016

Packages

No packages published

Languages