URL and Link repository

Sunday, February 21, 2016

X509 Trust Manager Interface Resolved

My Android app WAR had been using an imported version of the Application Crash Reports for Android (ACRA) library that was implemented incorrectly. The external JAR was acra-4.2.3.jar, which I automatically assumed to be outdated.

Therefore, I downloaded and copied acra-4.8.2.jar to the app/libs directory in Android Studio. Here are the series of steps that I took to find that updated ACRA jar file.

  • Started with a Bing search on acra-4.2.3.jar
  • SERP came back with
    https://code.google.com/archive/p/acra/wikis/ACRA3HowTo.wiki
  • This led to
    https://code.google.com/archive/p/acra/
  • Then to
    https://github.com/ACRA/acra
  • Which pointed to
    https://github.com/ACRA/acra/wiki/BasicSetup
  • Then
    http://search.maven.org/#search%7Cga%7C1%7Cch.acra
  • And finally arriving at
    https://repo1.maven.org/maven2/ch/acra/acra/4.8.2/acra-4.8.2.zip
  • After unzipping and copying the jar file to Android Studio app/libs directory, I modified the build.gradle file as follows:

    dependencies {
    compile files('libs/httpmime-4.1.1.jar')
    compile files('libs/acra-4.8.2.jar')
    }

    Mission accomplished for now at least; however, I certainly realize that I may have just added to my tech debt, but if it's working now, I won't risk introducing new bugs.

    Friday, February 19, 2016

    X509 Trust Manager Interface

    This is the warning letter from Google to fix the unsafe implementation of the interface X509TrustManager

    My fix will be posted shortly.

    Hello Google Play Developer,
    Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list. 
    To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”
    Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.
    To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
    While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
    Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.
    Regards,
    The Google Play Team
    
    ©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
    Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.
    
    Affected app(s), version(s), and class(es):
    org.warmixare 
    89 
    org.acra.util.NaiveTrustManager;
    
    org.warmixare2 
    93 
    org.acra.util.NaiveTrustManager;