Welp. It’s the crypto bug of the year. Mark it down for April. Java 15-18 ECDSA doesn’t sanity check that the random x coordinate and signature proof are nonzero; a (0,0) signature validates any message. Breaks JWT, SAML, &c.
Conversation
This Tweet is unavailable. Learn more
Android itself doesn't use the JVM or the OpenJDK cryptography backend. It uses OpenJDK for the SDK including compiling Java to bytecode with javac, which it then compiles to Dalvik bytecode. Android SDK works with OpenJDK 18 as long as source/target language is set to <= 12.
1
5
Default language for developing apps has switched to Kotlin and there are lots of Kotlin-exclusive features for the libraries. Java version isn't as relevant as it seems since Java bytecode is turned into Dalvik bytecode with backwards compat based on min API level, not Java ver.
1
2
Targeting Java 11 does not mean the app depends on the OS supporting Java 11. SDK will convert it to bytecode using the latest Dalvik bytecode features available in the minimum API level set by the app. Using lambdas doesn't mean it requires that the OS supports lambdas, etc.