You are using an unsafe implementation of X509TrustManager

Asked 18/2, 2016 at 18:56 Answered 19/2, 2016 at 7:1

Solved android appcelerator appcelerator-titanium android-security trustmanager

I've an app in Google Play, today I received a mail from Google saying that:

Google Play warning: You are using an unsafe implementation of X509TrustManager

It says something about the SSL certificate issues and a way to solve the issue.

I'm asking this question because of curiosity,

Actually what is this warning all about ?
I'm not using any network related activities in my app (it's a local database driven app), so why this warning occurred for my app?

More Details:

My app was built using Appcelerator Titanium and google says this implementation is in ti.modules.titanium.network.NonValidatingTrustManager;. I'm sure that I never used such a class in my code.

Larry answered 18/2, 2016 at 18:56 Comment(0)

Actually what is this warning all about ?

You should have been linked to this page, which explains what it is all about. In a nutshell, Google is scanning apps for people who screw up SSL, such as blindly accepting all certificates as valid.

I'm not using any network related activities in my app (it's a local database driven app), so why this warning occurred for my app?

Because something else in your APK has done this. In the case of this developer, it was a library.

My app was built using Appcelerator Titanium and google says this implementation is in ti.modules.titanium.network.NonValidatingTrustManager;. I'm sure that I never used such a class in my code.

You may not have used it directly. However, something else is using it. Or, perhaps it is there because it is just part of the overall Titanium framework and remains in your APK.

Brahear answered 18/2, 2016 at 19:8 Comment(0)

Appcelerator is tracking this issue on JIRA here: https://jira.appcelerator.org/browse/TIMOB-20431

We also put out a blog post with information here: http://www.appcelerator.com/blog/2016/02/google-security-alert-unsafe-implementation-of-the-interface-x509trustmanager/

The email speaks about a May 17th deadline for newly submitted (!) apps and updates. We will have a fix and instructions ready in time.

Viniculture answered 19/2, 2016 at 7:1 Comment(0)

Read this: http://docs.appcelerator.com/platform/latest/#!/guide/SSL_Certificate_Store_Support_for_HTTP_Clients

It all about the Google pushing everybody to use https. If you are using into your app the Titanium.Network.createHTTPClient object, then you will have to implement that with this:

var certificateStore = require('ti.certificatestore').

The module can be find here: https://github.com/appcelerator-modules/ti.certificatestore

Ultima answered 18/2, 2016 at 23:1 Comment(0)

The problem is not related to the js code. It is inside Titanium sdk and no matter do you use some fucntions or not. I think the possible solution is to rewrite class https://github.com/appcelerator/titanium_mobile/blob/bc85170157d3bebc5de1d61a9fe6e34bce84a8c9/android/modules/network/src/java/ti/modules/titanium/network/NonValidatingTrustManager.java

We should create safe implementation of X509TrustManager

Sibylsibylla answered 19/2, 2016 at 6:6 Comment(1)

Appcelerator will have an updated SDK ready in time for the mid-May deadline. More information on our blog soon. – Viniculture 19/2, 2016 at 6:58

I just got the same message on a my apps. Same module specified as the OP.

ti.modules.titanium.network.NonValidatingTrustManager;

A few points from my research so far:

http://docs.appcelerator.com/platform/latest/#!/guide/SSL_Certificate_Store_Support_for_HTTP_Clients does discuss the problem and provide examples for iOS and Android. However:
- the examples are different for each OS and require creating or downloading modules (the Android one is a couple years old now)
- the docs specifically say these methods are no longer supported and

You should instead use the HTTPClient's securityManager property to implement support for SSL Certificate Stores.

the SecurityManagerProtocol docs, unfortunately, have no examples. The few references I could find (http://docs.appcelerator.com/platform/latest/#!/api/Modules.Https) require the use of modules.https which is a PAID module only.
I'm left with the question: If Google rejects all Appcelerator apps with this particular issue, and only developers with paid subscriptions get an officially-supported solution, does this mean Appcelerator 'community edition' is officially incompatible with Google Play? Is Appcelerator planning to support HTTPS officially for it's community members?

Anyone from Appcelerator care to comment, please? Thank you, David

Eiland answered 19/2, 2016 at 4:6 Comment(1)

Appcelerator will have an updated SDK ready in time for the mid-May deadline. More information on our blog soon. Indeed the HTTPS module is a premium team+ module but we will make sure any Titanium developer can be ready before the mid-May deadline. – Viniculture 19/2, 2016 at 6:59

Recommended topics

Hot tags