FORTIFY_SOURCE Compiler Option

[efuturetoday]

Hello all,

I did recently a security audit of an Android Application that is using this library as dependency.
One issue of this report was, that the files in lib/armeabi-v7a/libsqlcipher.so and lib/x86/libsqlcipher.so are not compiled with -D_FORTIFY_SOURCE=2

Recently I did a quick test with a security scanner (checksec) on Ubuntu and could confirm this:

Is that true? Do you provide the builds without this compiler flag?
If not, do you think that it should be added due to security reasons?

As far as I know D_FORTIFY_SOURCE will introduce multiple checks to memory management to improve stability and security.

Thank you

[sjlombardo]

Hello @efuturetoday - thanks for getting in touch. It looks like you are checking the 32 bit armeabi-v7a library, which is built for API 16 which does not support that feature. If you inspect the arm64-v8a variant (built for API 21), you'll notice that it is compiled with FORTIFY_SOURCE support.

Historically SQLCipher has supported the absolute minimum version we can for 32 bit platforms, in order to support the widest possible set of devices. However, we will be changing to use API 21 as the minimum for all platforms in the next release. This change is necessitated by the use of an API by the upstream SQLite project which is unavailable in 16. Therefore, upcoming releases for armeabi-v7a would include FORTIFY_SOURCE support.

As a final note, there are dependencies linked into SQLCipher (libcrypto) that are not compiled with that support by default. We'll investigate the impact of updating those for an upcoming release as well.

[efuturetoday]

Hello @sjlombardo,

thank you for your fast response. I see that the armeabi-v7a archtiecture is somewhat old and you want to provide the highest compability among devices. I recently checked the 4.4.3 Version and there is no FORTIFY_SOURCE support:

Then I checked the most recent Version (4.5.3) and I could confirm the support of FORTIFY_SOURCE:

Therefore the solution for us would be to just update the dependencies to version that supports it.

Thank you for clarification and your quick support :)