How to fix unsafe implementation of X509TrustManager warrning in Android app

Question

I am getting security alert on my uploaded Android Build on Google Play Store.

"Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability."

I try to fix it by implementing following code and update my build

public class MySSLSocketFactory  extends SSLSocketFactory {
    SSLContext sslContext = SSLContext.getInstance("TLS");

    public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
        super(truststore);

        TrustManager tm = new X509TrustManager() {
            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            }

            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };

        sslContext.init(null, new TrustManager[] { tm }, null);
    }

    @Override
    public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
        return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
    }

    @Override
    public Socket createSocket() throws IOException {
        return sslContext.getSocketFactory().createSocket();
    }
}

But still I am getting security alert.

One more question that I don't want to update my live application again and again to remove this security alert. Is there any way that I can upload my build and can check that changes was done perfectly and can live this same application.

Update: I also add following lines in checkServerTrusted()

try {
    chain[0].checkValidity();
} catch (CertificateExpiredException e) {
    Logger.e(TAG, "CertificateExpiredException");
    throw new CertificateException("CertificateExpiredException");
} catch (CertificateNotYetValidException e) {
    Logger.e(TAG, "CertificateNotYetValidException");
    throw new CertificateException("CertificateNotYetValidException");
}

_"Is there any way that I can upload my build and can check that changes was done perfectly and can live this same application."_ You could publish the new version as an alpha or beta and add only yourself as a betatester. — Michael, Feb 29 '16 at 18:42
"I try to fix it by implementing following code and update my build " -- that is the very definition of an insecure `X509TrustManager`. Remove it, please. "But still I am getting security alert" -- that is because you did not fix the problem, but instead made it worse. If you are not already using `X509TrustManager` in your code (prior to what you did in this question), then [the problem is probably coming from a library](https://commonsware.com/blog/2016/02/22/about-x509trustmanager-emails.html). — CommonsWare, Feb 29 '16 at 18:46
From Google's support page for this error: "To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations.". Your current implementation of `X509TrustManager` would trust any certificate it was presented with. — Michael, Feb 29 '16 at 18:48
@Michael, I know that I can upload my application in Alpha, Beta mode. But are you sure that this security alert will also show in testing modes and In testing mode Google will give me security alerts if issue still persists or give me confirmation that issue successfully resolved. — ParikshitSinghTomar, Feb 29 '16 at 18:48
_"are you sure that this security alert will also show in testing modes"_ I am not, but it would be quite easy to test. Simply upload a version that contains no additional fixes as a beta. — Michael, Feb 29 '16 at 18:51
@Michael, Now I also add few lines in checkServerTrustet method. See updates. — ParikshitSinghTomar, Feb 29 '16 at 18:51
@CommonsWare, I remove Apache Client support from my project and using HttpsUrlConnection class. I also update my support library from bussiness team and right now they are also using above class. But above issue still showing. Now I have three other libraries 1. Facebook SDK 2. Crashlytics 3. libraryImageCaching. I check code of libraryImageCaching and this library also using HttpUrlConnection and HttpsUrlConnection. Now problem may be in FB SDK and Crashlytics. Now How I identify that issue is due to this code block or library. — ParikshitSinghTomar, May 10 '16 at 13:32
@PKTomar: Update to the latest versions of those libraries. If the problem persists, contact Facebook and Twitter, respectively. — CommonsWare, May 10 '16 at 13:34
@CommonsWare, I found that this alert showing for previous publish build not for my test builds. I upload 2 or 3 more builds in testing mode to check this issue but Google only checking publish build. There is any way to upload build which will not publish but I can test this issue. — ParikshitSinghTomar, May 12 '16 at 12:23

score 0 · Answer 1 · answered Feb 29 '16 at 19:06

0

If you wanna check that your app has been fixed, you can upload it as a timed publish.

If your new version did not fix the mentioned bug, you will be notified.

answered Feb 29 '16 at 19:06

user3673952

698
10
30

I am not able to find option for timed publish. But Now I am publish this application to Google Group may be this help. – ParikshitSinghTomar May 12 '16 at 12:24

How to fix unsafe implementation of X509TrustManager warrning in Android app

1 Answers1