Google Play security alert for insecure TrustManager

android security ssl android-security trustmanager
Muzikant picture Muzikant · Feb 17, 2016 · Viewed 11.5k times · Source

In one of my apps I'm using HTTPS with a self-signed certificate and followed the sample code from the android developer training site (https://developer.android.com/training/articles/security-ssl.html#UnknownCa).

I recently got the following alert saying that the current implementation is not secured:

Security alert

Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Can someone provide more details on what should be updated beyond the sample code linked above?

Should I implement a custom TrustManager? If so, what should it verify?

Answer

Rejinderi picture Rejinderi · Feb 19, 2016

Try to search for "TrustManager" in your codes, if none is to be found, most of the cases it is because of third party libraries included.

For me it was because of using an older version of ACRA (https://github.com/ACRA/acra).

Related questions

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. Android 2.3

In my server (production server), I have a goDaddy ssl certificate. I have both iOS and Android apps connecting with the server, iOS connecting with no problems, android with versions 4.* everything is good, but with devices with 2.3.* I always get …

Read More
How safe are client SSL certificates in a mobile app?

I'd like to have secure communication between my Android/iOS app and my Internet-accessible backend service, so I'm investigating HTTPS/SSL. If I create self-signed certificates, then put a client certificate in the app and cause the backend service to …

Read More
How to avoid reverse engineering of an APK file?

I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file. If someone changes the .apk extension to .zip then they can unzip …

Read More