Opened 21 months ago

Closed 7 weeks ago

#1344 closed defect/bug (fixed)

unsafe implementation of the interface X509TrustManager

Reported by: kazer Owned by: cp15
Priority: major Milestone: version 0.5.1
Component: port/android Version:
Severity: normal Keywords:
Cc:

Description

Hello Google Play Developer,

Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException? or IllegalArgumentException? whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager?.”

Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

While these specific issues may not affect every app with the TrustManager? implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Regards,

The Google Play Team

Change History (2)

comment:1 Changed 21 months ago by jandegr

As found on http://stackoverflow.com/questions/35465916/google-play-security-alert-for-insecure-trustmanager

in the answer by Rejinderi

Try to search for "TrustManager" in your codes, if none is to be found, 
most of the cases it is because of third party libraries included.

For me it was because of using an older version of ACRA 
(https://github.com/ACRA/acra).

comment:2 Changed 7 weeks ago by http://wiki.navit-project.org/index.php/user:jkoan

  • Resolution set to fixed
  • Status changed from new to closed

This issue is related to Acra. Navit uses 4.8.5 while the issue was fixed in 4.8.2.

Note: See TracTickets for help on using tickets.