In one of my apps I'm using HTTPS with a self-signed certificate and followed the sample code from the android developer training site (https://developer.android.com/training/articles/security-ssl.html#UnknownCa).
I recently got the following alert saying that the current implementation is not secured:
Security alert
Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
Can someone provide more details on what should be updated beyond the sample code linked above?
Should I implement a custom TrustManager
? If so, what should it verify?
Try to search for "TrustManager" in your codes, if none is to be found, most of the cases it is because of third party libraries included.
For me it was because of using an older version of ACRA (https://github.com/ACRA/acra).