Updated openssl for android and use local xcframework instead of OpenSSL-Universal

[ronickg]

The aim of this pull request is to update the openssl to a newer version for android #351 and for ios to try fix the issue #470 by instead of using the OpenSSL-Universal, actually having the OpenSSL as a local xcframework inside of the ios folder.

For the android maven lib I built it with the help of this repo:
https://android.googlesource.com/platform/tools/ndkports/+/refs/heads/main

And for ios:
https://github.com/duckduckgo/OpenSSL-XCFramework

Tested on both ios and android emulators and works.

[shamilovtim]

I do not trust replacing OpenSSL with these new sources on either platform.

This github.io.cryptorg maven org appeared just recently. I don't see any evidence that this github.io.cryptorg is a real officially sanctioned AOSP namespace despite the pom file suggesting that this is published by AOSP.

[ronickg]

@shamilovtim Yes makes total sense. I myself published the library to maven. I would recommend some trusted party in the react native community to publish it and then use that instead of mine. I can help out with doing it, as I have invested quite a bit of time already figuring out how one does it.

[shamilovtim]

@shamilovtim Yes makes total sense. I myself published the library to maven. I would recommend some trusted party in the react native community to publish it and then use that instead of mine. I can help out with doing it, as I have invested quite a bit of time already figuring out how one does it.

Thanks, ok that makes sense.

My suggestion is instead of relying on blind trust to stick to the old dependencies and wait for either a build script to get added to the repo which is:
a) reproducible on every run
b) plus a run on CI that will block if there's a diff
c) it needs to compare its hash against a hash provided by the OpenSSL project

In the mean time until these robust security checks are added I think it's safer to stick to the existing code

[ronickg]

Maybe something similar to how Trust Wallet's Wallet Core does it would be helpful. By using github to publish the maven repos.

https://github.com/orgs/trustwallet/packages?repo_name=wallet-core

[ronickg]

@shamilovtim I went to a bit of effort creating a repo, which can now build the .aar ports using github actions, so every step can be followed as well as the source code used to build it. The keys used for signing are stored inside the github secrets. For openssl i also added a step when downloading the selected version that it also validates the hash and signature. I am not sure if there is still more one can do to prove its not been tampered with. But here is what i have come up with so far.

The source code: https://github.com/ronickg/ndkports/
The actions: https://github.com/ronickg/ndkports/actions/runs/11532947208
The releases: https://github.com/ronickg/ndkports/releases

[boorad]

main gets the upgrade in #534

closing this in favor of the published artifact...

@ronickg 💪 🚀 thanks!