I am using the below package verion in my project.
implementation ‘net.zetetic:android-database-sqlcipher:4.5.4@aar’
implementation ‘androidx.sqlite:sqlite:2.2.0’
before I used the sqlcipher:4.0.1@aar` but our security team reported an issue of the package being outdated.
issues: openssl version `1.1.1
Could you please confirm to us which version of OpenSSL version is used in SqlChiper:4.5.4v?
From the release announcement:
non-FIPS packages using OpenSSL now include 1.1.1t, except Windows UAP which uses OpenSSL 1.1.1s
we got feedback from the security team,
Android: Vuln 9. Partially Fixed, Dependency openssl version 1.1.1t was detected at lib/armeabi-v7a/libsqlcipher.so and lib/arm64-v8a/libsqlcipher.so
Is any way to update the OpenSSL version? @sjlombardo. Because the security team reported as it is outdated.
Hello @Abu_Basith - you could build SQLCipher yourself from source and use a different OpenSSL version. Otherwise, you’d need to wait for the next release when we would update the version used.
Thanks @sjlombardo - Could you please give any guidance for the OpenSSL version update in SQLChiper?
I can’t provide a concrete timeline right now, but there will likely be a release sometime this month.
Hey @sjlombardo, I saw the new version 4.5.5v is officially released so is there an OpenSSL version increased?
Hello @Abu_Basith - SQLCipher non-FIPS packages that use the OpenSSL Cryptographic Provider are now using OpenSSL 3.0.10 LTS. Note that android-database-sqlcipher has been deprecated, so you should migrate to use the new sqlcipher-android package.
@sjlombardo - What is the meaning of non-FIPS packages? and sqlcipher-android is comes under on-FIPS?
Hello @Abu_Basith - It basically means any standard distributions of community, commercial, or enterprise packages which use OpenSSL. SQLCipher Enterprise FIPS is a special set of packages that use a FIPS 140-2 validated cryptographic module. Such packages are clearly marked and only distributed through our Enterprise program under a special license. If you do not have a specific FIPS package license from Zetetic then your sqlcipher-android packages are non-FIPS.