Testing the Security Provider
Applications based on the Android SDK should depend on GooglePlayServices. For example, in the gradle build file, you will find
compile 'com.google.android.gms:play-services-gcm:x.x.x' in the dependencies block. You need to make sure that the
ProviderInstaller class is called with either
ProviderInstaller needs to be called by a component of the application as early as possible. Exceptions thrown by these methods should be caught and handled correctly. If the application cannot patch its security provider, it can either inform the API of its less secure state or restrict user actions (because all HTTPS traffic should be deemed riskier in this situation).
If you have access to the source code, check if the app handle any exceptions related to the security provider updates properly, and if it reports to the backend when the application is working with an unpatched security provider. The Android Developer documentation provides different examples showing how to update the Security Provider to prevent SSL exploits.
Lastly, make sure that NDK-based applications bind only to a recent and properly patched library that provides SSL/TLS functionality.
When you have the source code:
- Run the application in debug mode, then create a breakpoint where the app will first contact the endpoint(s).
- Right click the highlighted code and select
Security.getProviders()and press enter.
- Check the providers and try to find
GmsCore_OpenSSL, which should be the new top-listed provider.
When you do not have the source code:
- Use Xposed to hook into the
java.securitypackage, then hook into
java.security.Securitywith the method
getProviders(with no arguments). The return value will be an array of
- Determine whether the first provider is