0

I have to apps in the PlayStore, both have the same implementation of the X509TrustManager but one keeps being flagged as having an 'insecure implementation ', but the code is identical... I would appreciate some help/tips on how this can be improved, security is not my strongest area. Thanks

Code:

public void createTrustManager() {
    // Create a trust manager that does not validate certificate chains
    TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
        @Override
        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
    }

    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {


        try {
            try {
                chain[0].checkValidity();
            } catch (java.security.cert.CertificateExpiredException e) {
                e.printStackTrace();
            } catch (java.security.cert.CertificateNotYetValidException e) {
                e.printStackTrace();
            }
        } catch (IllegalArgumentException e) {

            try {
                throw new IllegalArgumentException("CertificateNotYetValidException");
            } catch (IllegalArgumentException ex) {
                ex.printStackTrace();
            }
        }

    }

    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }
    public void checkClientTrusted(X509Certificate[] certs, String authType) {
    }
    public void checkServerTrusted(X509Certificate[] certs, String authType) {
    }
}
};

// Install the all-trusting trust manager
SSLContext sc = null;
try {
    sc = SSLContext.getInstance("SSL");



} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
}
try {
    assert sc != null;

    sc.init(null, trustAllCerts, new java.security.SecureRandom());
} catch (KeyManagementException e) {
    e.printStackTrace();
}
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

// Create all-trusting host name verifier

// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()   {
    @Override
    public boolean verify(String hostname, SSLSession arg1) {
        return hostname.equalsIgnoreCase(RestFUL_URLS.DOMAIN) || hostname.equalsIgnoreCase(RestFUL_URLS.DOMAIN) || hostname.equalsIgnoreCase("reports.crashlytics.com") || hostname.equalsIgnoreCase("api.crashlytics.com")  || hostname.equalsIgnoreCase("api.pushy.me")  || hostname.equalsIgnoreCase("mqtt.pushy.me")  || hostname.equalsIgnoreCase("play.google.com" );

    }
});

}

Edward Tattsyrup
  • 245
  • 1
  • 3
  • 15
  • So what is the problem for which you have this kind of insecure X509TrustManager as a solution? – laalto Sep 14 '20 at 10:26
  • @laalto, sending data to a server. – Edward Tattsyrup Sep 14 '20 at 11:03
  • Why do you think that you need a custom TrustManager for that? – Michael Sep 14 '20 at 11:40
  • Also, Google have [an FAQ](https://support.google.com/faqs/answer/6346016?hl=en) where they specifically mention two things that you shouldn't do, but which your code does (catching exceptions that you shouldn't catch, and relying on `checkValidity` alone to decide whether to trust a certificate). – Michael Sep 14 '20 at 11:47
  • The problems include but are not limited to: (1) that you have it at all, instead of using a CA-signed certificate at the server or importing its certificate into your truststore; (2) you don't verify every certificate in the chain; (3) you don't check whether the chain really is a chain instead of just a set of random unrelated certificates; (4) you accept expired or not-yet-valid certificates; (5) bizarre behaviour on `IllegalArgumentException`, (6) that `getAcceptedIssuers()` returning null *contra* the specification; (7) your `HostnameVerifier` ignores the actual cer\tificate; ... – user207421 Sep 15 '20 at 01:28

0 Answers0