I am using the below package verion in my project.
implementation ‘net.zetetic:android-database-sqlcipher:4.5.4@aar’
implementation ‘androidx.sqlite:sqlite:2.2.0’
before I used the sqlcipher:4.0.1@aar` but our security team reported an issue of the package being outdated.
issues: openssl version `1.1.1
Could you please confirm to us which version of OpenSSL version is used in SqlChiper:4.5.4v?
From the release announcement:
non-FIPS packages using OpenSSL now include 1.1.1t, except Windows UAP which uses OpenSSL 1.1.1s
we got feedback from the security team,
Android: Vuln 9. Partially Fixed, Dependency openssl version 1.1.1t was detected at lib/armeabi-v7a/libsqlcipher.so and lib/arm64-v8a/libsqlcipher.so
Is any way to update the OpenSSL version? @sjlombardo. Because the security team reported as it is outdated.
Hello @Abu_Basith - you could build SQLCipher yourself from source and use a different OpenSSL version. Otherwise, you’d need to wait for the next release when we would update the version used.
Thanks @sjlombardo - Could you please give any guidance for the OpenSSL version update in SQLChiper?
I can’t provide a concrete timeline right now, but there will likely be a release sometime this month.
Hey @sjlombardo, I saw the new version 4.5.5v is officially released so is there an OpenSSL version increased?
Hello @Abu_Basith - SQLCipher non-FIPS packages that use the OpenSSL Cryptographic Provider are now using OpenSSL 3.0.10 LTS. Note that android-database-sqlcipher has been deprecated, so you should migrate to use the new sqlcipher-android package.