[Google Play] Fix apps that contain insecure TrustManager implementations
Security Vulnerabilities
Google refused to update APK.
The reason for the rejection was because of a security vulnerability, and I received an email with the following contents
TrustManager
You can find more information about TrustManager in this Google Help Center article. Security vulnerability detailed link
How to fix an app that contains an insecure TrustManager implementation
https://support.google.com/faqs/answer/6346016
Resolution
If you are using a well-known certificate, you do not need any code to verify the certificate with the X509TrustManager class.
This class is required to handle exceptions when issued by an unknown CA or self-issued, or when a CA is missing in the middle of server configuration.
The app I updated to Google was using a well-known certificate, so I removed the part that used the X509TrustManager class from the source code.
There was no reason to use the X509TrustManager class in the first place.
I removed the X509TrustManager class and updated it to Google again, and this time it passed without any problems.
Code where the security vulnerability occurs
The code below is the code in which the security vulnerability occurs.
Because the X509TrustManager checkServerTrusted method is not implemented, all certificates are treated as valid certificates, resulting in a security vulnerability.
The code below is the code in which the security vulnerability occurs.
The security vulnerability occurs because all certificates are accepted because there is no certificate verification policy implemented in the checkServerTrusted method.
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] chain,
String authType)
throws java.security.cert.CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] chain,
String authType)
throws java.security.cert.CertificateException {
// TODO Auto-generated method stub
}
}};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection
.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
If you search in Google, you can find the following code as a way to implement checkServerTrusted. If you look at the document in the Google Mail link, if you use the checkValidity method, you can only check the expiration period of the certificate. If an exception occurs, checkServerTrusted is normally terminated and the app It is explained that this dangerous certificate can be trusted.
It may not be resolved with code that simply calls the checkValidity method.
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
chain[0].checkValidity();
} catch (Exception e) {
throw new CertificateException("Certificate is not valid or trusted");
}
} conclusion
Using a well-known certificate eliminates the need to use the X509TrustManager class.
If the implementation of X509TrustManager is required using a certificate issued by an unknown CA or self-issued, if the implementation method is incorrect, the update may be rejected.
Rather than simply calling the checkValidity method, the method of verifying the certificate by referring to the link below should be implemented accurately.
See the link below for how to safely implement X509TrustManager.
Security using HTTPS and SSL
- 2021-12-22
- 2021-12-22
- 2021-12-22
- 2021-12-01
- 2021-11-06