Protect Your Android App Against SSL Exploits

If you’re android application is consuming a web-service you most likely use https for the secure communication with your API. Looking at the news recently we see more and more openssl issues getting found.

The big problem with android systems is, that the default openssl library is shipped with the android system. Since not all device manufactures updating their android version right away (some never) your app is most likely using an old openssl version that is vulnerable to recent security issues.

Some websites are going to suggest you bundle your own openssl version with the help of the NDK into your app. But that has the big disadvantage that you need to keep track of all openssl changes and patch your application right away.

Lucky for us android developers google has a solution for that problem. If you using google play services such as google analytics or push notifications (Google Cloud Messaging), there is a very easy way to install a new SSL Security Provider (injecting an up to date openssl library that gets shipped and updated with the Google Play Services).

The only thing you need to do is to call the following method

ProviderInstaller.installIfNeeded(getContext());

within your first Activity. This will on the first application start inject the updated library and ever subsequent start it does nothing and wont slow down your application.

If you want to find out more about the API and why you should use it just look at the following links: