RogueWave
Aspiring developer
Profile
Posts: 337
Reg: Jan 23, 2013
Park City
5,120
Fourm Star
02/21/16 07:17 PM (6 years ago)

Google Play Store Warning

I got this warning from Google Play Store Development and I need to know what to do. Hello Google Play Developer, Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list. To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.” Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager. To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning. While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement. Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center. Regards, The Google Play Team
 
krompa
Lost but trying
Profile
Posts: 257
Reg: Jun 14, 2013
Bristol
8,820
Fourm StarFourm Star
like
02/22/16 01:41 AM (6 years ago)
Just a thought... Would it be useful to list the following: Date app created BT version Plugins used Self hosted or not If the guy 7 posts down (on the main forum) could do the same, then that might help BT community to pinpoint the problem.
 
AlanMac
Aspiring developer
Profile
Posts: 2612
Reg: Mar 05, 2012
Esher, UK
37,120
Fourm StarFourm StarFourm Star
like
02/22/16 03:55 AM (6 years ago)
Also, are you (knowingly) using https content in your app? Might it be one of your plugins or libraries does? there is some stuff on stackoverflow that sounds similar http://stackoverflow.com/questions/35490107/you-are-using-an-unsafe-implementation-of-x509trustmanager It would be interesting to find out where this problem is; there is a possibility that it might affect more BT apps than just yours. Cheers, Alan
 
GoNorthWest
buzztouch Evangelist
Profile
Posts: 8197
Reg: Jun 24, 2011
Oro Valley, AZ
1,000,000
Fourm StarFourm StarFourm Star
like
02/22/16 07:40 AM (6 years ago)
I've sent an email to David Book to see if we can get some focus on this. I'm guess that it's something in the BT code that needs to be fixed. We've been seeing this with quite a few apps in the forum. The dataURL and reportToCloud URLs all use https protocol. I'm guessing that's where things might be going awry (unless there are other places people are using https as well). Mark
 
Dusko
Veteran developer
Profile
Posts: 998
Reg: Oct 13, 2012
Beograd
22,680
Fourm StarFourm StarFourm Star
like
02/22/16 09:44 AM (6 years ago)
I have gotten this warning only for one of my apps, Opera Music. In theory, you get this warning if you are using HTTPS from apache. Testing this hypothesis, I ran a search and indeed, that app contains apache.https in dozens of places. BUT, I have a twin app called Opera Music Favorites which uses exactly the same modules as the first app but that second app did NOT get the warning (at least, not so far). So, the jury is still out on this one.
 

Login + Screen Name Required to Post

pointerLogin to participate so you can start earning points. Once you're logged in (and have a screen name entered in your profile), you can subscribe to topics, follow users, and start learning how to make apps like the pros.