Google Play security alert for insecure TrustManager

Asked 17/2, 2016 at 19:27 Answered 12/5, 2016 at 11:29

Solved android security ssl android-security trustmanager

In one of my apps I'm using HTTPS with a self-signed certificate and followed the sample code from the android developer training site (https://developer.android.com/training/articles/security-ssl.html#UnknownCa).

I recently got the following alert saying that the current implementation is not secured:

Security alert

Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Can someone provide more details on what should be updated beyond the sample code linked above?

Should I implement a custom TrustManager? If so, what should it verify?

Polystyrene answered 17/2, 2016 at 19:27 Comment(7)

Um, that seems to be covered in the Google Help Center article: "To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations." How exactly are you setting up your TrustManager? How are you using it? – Covenantee 17/2, 2016 at 19:32

@Covenantee exactly as in the sample code developer.android.com/training/articles/… Should I do anything different? – Polystyrene 17/2, 2016 at 19:37

There is no code for the self-signed server certificate scenario on the page that you linked to. There is code for the unknown-certificate-authority scenario. – Covenantee 17/2, 2016 at 19:39

The section about the self-signed certificate refers to the same sample code:

The second case of SSLHandshakeException is due to a self-signed certificate, which means the server is behaving as its own CA. This is similar to an unknown certificate authority, so you can use the same approach from the previous section.

– Polystyrene 17/2, 2016 at 19:42

@Covenantee I'm also looking at this example for implementing custom TrustManager but I'm not sure if that is sufficient. blog.fordemobile.com/2012/04/https-requests-on-android.html (Look at EasyX509TrustManager implementation) – Polystyrene 17/2, 2016 at 19:59

If you are literally using the code from the docs, and you do not have implements X509TrustManager in your code anywhere, perhaps it is coming from a library in your project, rather than your own code. Are you using any libraries that use Internet access (e.g., ad networks)? – Covenantee 17/2, 2016 at 20:3

@Covenantee I think I found it! it's in mobilecore.jar (IronSource ads). Thanks for the tip to look in external libraries – Polystyrene 17/2, 2016 at 20:26

For me the problem was Mobilecore. I've removed the library from the app and upload a new version of the apk and the warning has disappeared from the GPlay Dev Console.

Laporte answered 19/2, 2016 at 10:50 Comment(0)

Try to search for "TrustManager" in your codes, if none is to be found, most of the cases it is because of third party libraries included.

For me it was because of using an older version of ACRA (https://github.com/ACRA/acra).

Mania answered 19/2, 2016 at 2:57 Comment(3)

As mentioned in the comments to the question, this was a similar case with a different 3rd party library – Polystyrene 19/2, 2016 at 8:18

Is there any way we can catch this issue during compilation like using Lint or any static analysis tool. – Antediluvian 19/2, 2016 at 11:43

@Antediluvian - I look for checkServerTrusted in mapping.txt produced by Proguard. – Piecedyed 10/6, 2016 at 15:1

For me the problem was Mobilecore. I've removed the library from the app and upload a new version of the apk and the warning has disappeared from the GPlay Dev Console.

Laporte answered 19/2, 2016 at 10:50 Comment(0)

May be late, but hope it can help someone, call this method before request to server. If certificate not trust, you have implement dialog or something so user can decide, here I use alert dialog.

public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){
        try {
            HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });

            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, new X509TrustManager[]{new X509TrustManager() {
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }

                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                    try {
                        chain[0].checkValidity();
                    } catch (final Exception e) {

                        mActivity.runOnUiThread(new Runnable() {
                            @Override
                            public void run() {
                                AlertDialog.Builder builder = new AlertDialog.Builder(mActivity);
                                AlertDialog alertDialog = builder.create();
                                alertDialog.setCancelable(false);
                                String message = "There a problem with the security certificate for this web site.";
                                message += "\nDo you want to continue anyway?";
                                alertDialog.setTitle("SSL Certificate Error");
                                alertDialog.setMessage(message);
                                alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
                                    @Override
                                    public void onClick(DialogInterface dialog, int which) {
                                        acceptSSL = true;
                                        return;

                                    }
                                });

                                alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
                                    @Override
                                    public void onClick(DialogInterface dialog, int which) {
                                        acceptSSL = true;
                                        task.onInterruptedDownload();
                                    }
                                });
                                alertDialog.show();

                            }

                        });

                        while( !acceptSSL){
                            try{
                                Thread.sleep(1000);
                            } catch( InterruptedException er) { }
                        }

                    }
                }
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            }}, new SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
        } catch (Exception e) { // should never happen
            e.printStackTrace();
        }
    }

Damara answered 12/5, 2016 at 11:29 Comment(0)

I have also identified that ARCA 4.3 appears to potentially be the culprit for my app.

Question, does anyone know to verify that the issue is resolved? Currently, the Play store I have access to is not causing Google to issue me the warning, but one of our partners who has published the app has received the warning. I would like to verify that the issue is resolved before providing our partner with a new APK.

Milreis answered 19/2, 2016 at 16:44 Comment(0)

Recommended topics

Hot tags