2

I have received this message from Google. We aren't using any TrustManager or etc. We are using okhttp and google publisher, and I don't know how can I detect this security vulnerability.

enter image description here

We found that your app contains security vulnerabilities, which can expose user information or damage a user’s device. This is a violation of Device and Network Abuse policy. Specifically, your app(s) are vulnerable to TrustManager. To address this issue, follow the steps in this Google Help Center article.

Affected Version(s): APK: 21

dependencies {
    implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
    implementation "androidx.multidex:multidex:2.0.1"
    implementation 'com.google.android.material:material:1.2.1'

    implementation 'com.google.firebase:firebase-messaging:21.0.1'

    implementation 'com.facebook.android:facebook-android-sdk:8.2.0'

    implementation 'com.github.chrisbanes:PhotoView:2.1.3'
    implementation 'org.jsoup:jsoup:1.13.1'
    implementation 'com.android.billingclient:billing:3.0.2'
    annotationProcessor 'com.jakewharton:butterknife-compiler:10.2.3'
    implementation 'com.jakewharton:butterknife:10.2.3'

    implementation 'io.reactivex.rxjava3:rxjava:3.0.8'

    implementation 'com.google.code.gson:gson:2.8.6'

    implementation 'com.varunjohn1990.libraries:WhatsappMessengerView:2.1.0'

    implementation 'com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0'
    implementation 'com.google.auth:google-auth-library-oauth2-http:0.22.2'

    implementation 'com.github.drawers:SpinnerDatePicker:2.0.1'
    implementation 'com.elyeproj.libraries:loaderviewlibrary:2.0.0'
    implementation 'link.fls:swipestack:0.3.0'

    implementation 'jp.wasabeef:picasso-transformations:2.4.0'
    // If you want to use the GPU Filters
    implementation 'jp.co.cyberagent.android:gpuimage:2.1.0'

    implementation 'com.squareup.picasso:picasso:2.71828'

    implementation 'com.github.HamidrezaAmz:AndroidImageSlider:v1.0.8'
    implementation 'com.eightbitlab:blurview:1.6.3'

    implementation 'pl.bclogic:pulsator4droid:1.0.3'

    implementation 'com.google.android.play:core:1.9.0'

    implementation project(':bottomnavbar')
    implementation project(':segmentcontrol')
    implementation project(':scrool')
}

\build.gradle: Error: commons-logging defines classes that conflict with classes now provided by Android. Solutions include finding newer versions or alternative libraries that don't have the same problem (for example, for httpclient use HttpUrlConnection or okhttp instead), or repackaging the library using something like jarjar. [Dupli catePlatformClasses]

\build.gradle: Error: httpclient defines classes that conflict with classes now provided by Android. Solutions include finding newer versions or alternative libraries that don't have the same problem (for example, for httpclient use HttpUrlConnection or okhttp instead), or repackaging the library using something like jarjar. [DuplicateP latformClasses]

This fixed those error:

implementation ('com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0')  {
    exclude group: 'org.apache.httpcomponents'
}

implementation ('com.google.auth:google-auth-library-oauth2-http:0.22.2')  {
    exclude group: 'org.apache.httpcomponents'
}

    OkHttpService service = new OkHttpService();
    SubscriptionPurchase purchase = new AndroidPublisher.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), 
            new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
            createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
            build().purchases().subscriptions().
            get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();


<issue
    id="TrustAllX509TrustManager"
    severity="Warning"
    message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers"
    category="Security"
    priority="6"
    summary="Insecure TLS/SSL trust manager"
    explanation="This check looks for X509TrustManager implementations whose `checkServerTrusted` or `checkClientTrusted` methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.">
    <location
        file="Project\com\google\api\client\util\SslUtils$1.class"/>
</issue>
ardalegent
  • 91
  • 4
  • Have you followed the steps in the Google Help Center article? Did you run lint before publishing? Maybe it will point you out the vulnerabilities. – ChristianB Dec 29 '20 at 11:22
  • @ChristianB It gives me this article; https://support.google.com/faqs/answer/6346016 I don't have any TrustManager or X509TrustManager. – ardalegent Dec 29 '20 at 11:28
  • This might be related to your okhttp implementation. You should configure and run lint `./gradlew lintDebug` and check the results. – ChristianB Dec 29 '20 at 11:31
  • Please post your dependency list snippet for more clearity. – Monim Kaiser Dec 29 '20 at 11:31
  • @MonimKaiser Added to post. – ardalegent Dec 29 '20 at 11:38
  • @ChristianB It gives me 2 errors. Added to post. – ardalegent Dec 29 '20 at 11:41
  • The error suggests you a solution. Have you tried this? – ChristianB Dec 29 '20 at 11:47
  • @ChristianB As I said, I am not using httpclient. You can check dependencies. – ardalegent Dec 29 '20 at 11:49
  • One of you dependencies or added projects is using httpclient. For that reason, you are getting this error. You have to find that and eliminate that one. – Monim Kaiser Dec 29 '20 at 12:19
  • @MonimKaiser I detected them. They are google dependencies. (androidpublisher and oauth2) What should I do? – ardalegent Dec 29 '20 at 12:22
  • @MonimKaiser I fixed these codes on the post. Now it's not giving build failed error. How can I check security vulnurabilities? – ardalegent Dec 29 '20 at 12:29
  • Also check if your app is calling any **http** request. If not, you are free to go. I don't see any other issue. – Monim Kaiser Dec 29 '20 at 12:37
  • 1
    If you found that androidpublisher and oauth2 are using TrustManager, you can search how to fix those inside this library ( issues tab in GitHub, or just google "Fix TrustManager in xxx Library) , most of these libraries have a configurations for prevent this type of error. – rguzman Dec 29 '20 at 12:39
  • @rguzman I didn't find any configuration. Can you check this; https://github.com/googleapis/google-api-java-client-services/issues/6792 – ardalegent Dec 29 '20 at 17:02
  • @MonimKaiser I found some warnings about the vulnerability as I said. I am going to add the code. Can you check it too? – ardalegent Dec 29 '20 at 17:34

0 Answers0