Google has recently confirmed that there is a serious issue with improper seeding of the pseudo-random number generator (PRNG) found on some versions of the Android platform. As a result, we've released a new version of SQLCipher for Android which addresses potential risks introduced by this vulnerability. SQLCipher for Android 2.2.2 binaries can be found here.
The issue itself centers around improper default initialization of the OpenSSL PRNG; specifically, it appears from the fix that /dev/urandom was not included in the seeding process to the entropy pool. This increases the likelihood that low-entropy data could be provided when requesting random data from calls to OpenSSL’s RAND_bytes.
Previously, SQLCipher for Android was dynamically linking the system provided version of the OpenSSL library on the device. This means that SQLCipher was using the version of OpenSSL on affected platforms. This reduced complexity and allowed for a smaller binary payload when integrating the library into an application. Unfortunately, it also means that older versions of SQLCipher used the affected versions of OpenSSL on those Android versions.
To address this issue, SQLCipher for Android will no longer rely on Android’s system-provided OpenSSL library. Instead, new binaries statically link the 1.0.1e tag of OpenSSL, currently the latest release. We have verified locally that OpenSSL 1.0.1e includes data from /dev/urandom in the entropy pool during initialization. This change has the added benefit of normalizing behavior, as there are outdated distributions of OpenSSL embedded in certain Android platforms. We estimate that the statically linked library will add 1.0 MB to most ARM-only applications, although it could be as high as an additional 2.3 MB if other architectures are supported (e.g., x86).
SQLCipher relies on random data for two purposes: initial generation of the random database salt, and generation of per-page initialization vectors (IVs) for AES-256-CBC encryption. Happily, neither usage will result in catastrophic failure, as was the case with Bitcoin wallet applications, where poor randomness led to the generation of weak asymmetric keys. That said, it is likely that existing databases created on older Android platforms will have low-entropy salts and IVs. Theoretically this weakness in the underlying PRNG could facilitate optimized attacks in certain circumstances.
As a result, we strongly recommend that you upgrade to the latest SQLCipher for Android binaries as soon as possible. Out of an abundance of caution, we’d also recommend that those concerned with the security of existing databases generated on affected Android platforms perform a database export via the sqlcipher_export convenience function to re-encrypt the database. This process will generate a new random database salt and initialization vectors for all pages in the database.
If you have any questions, please feel free to ask. Thanks!
blog comments powered by Disqus