Google Play security alert for insecure TrustManag

In one of my apps I'm using HTTPS with a self-signed certificate and followed the sample code from the android developer training site (https://developer.android.com/training/articles/security-ssl.html#UnknownCa).

I recently got the following alert saying that the current implementation is not secured:

Security alert

Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Can someone provide more details on what should be updated beyond the sample code linked above?

Should I implement a custom TrustManager? If so, what should it verify?

标签： android security ssl android-security trustmanager

4条回答

beautiful°

2楼-- · 2019-01-11 13:32

Try to search for "TrustManager" in your codes, if none is to be found, most of the cases it is because of third party libraries included.

For me it was because of using an older version of ACRA (https://github.com/ACRA/acra).

0人赞添加讨论(0) 举报

劫难

3楼-- · 2019-01-11 13:35

May be late, but hope it can help someone, call this method before request to server. If certificate not trust, you have implement dialog or something so user can decide, here I use alert dialog.

public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){
        try {
            HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });

            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, new X509TrustManager[]{new X509TrustManager() {
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }

                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                    try {
                        chain[0].checkValidity();
                    } catch (final Exception e) {

                        mActivity.runOnUiThread(new Runnable() {
                            @Override
                            public void run() {
                                AlertDialog.Builder builder = new AlertDialog.Builder(mActivity);
                                AlertDialog alertDialog = builder.create();
                                alertDialog.setCancelable(false);
                                String message = "There a problem with the security certificate for this web site.";
                                message += "\nDo you want to continue anyway?";
                                alertDialog.setTitle("SSL Certificate Error");
                                alertDialog.setMessage(message);
                                alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
                                    @Override
                                    public void onClick(DialogInterface dialog, int which) {
                                        acceptSSL = true;
                                        return;

                                    }
                                });

                                alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
                                    @Override
                                    public void onClick(DialogInterface dialog, int which) {
                                        acceptSSL = true;
                                        task.onInterruptedDownload();
                                    }
                                });
                                alertDialog.show();

                            }

                        });

                        while( !acceptSSL){
                            try{
                                Thread.sleep(1000);
                            } catch( InterruptedException er) { }
                        }

                    }
                }
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            }}, new SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
        } catch (Exception e) { // should never happen
            e.printStackTrace();
        }
    }

0人赞添加讨论(0) 举报

啃猪蹄的小仙女

4楼-- · 2019-01-11 13:53

For me the problem was Mobilecore. I've removed the library from the app and upload a new version of the apk and the warning has disappeared from the GPlay Dev Console.

0人赞添加讨论(0) 举报

狗以群分

5楼-- · 2019-01-11 13:57

I have also identified that ARCA 4.3 appears to potentially be the culprit for my app.

Question, does anyone know to verify that the issue is resolved? Currently, the Play store I have access to is not causing Google to issue me the warning, but one of our partners who has published the app has received the warning. I would like to verify that the issue is resolved before providing our partner with a new APK.

0人赞添加讨论(0) 举报

Google Play security alert for insecure TrustManag

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间