Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Won't Fix
-
1.6.1
-
None
Description
We are using a security tool that reported this issue.
The following Java classes defined within the App define a custom (https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html) X509TrustManager that does not validate SSL certificates:
org.apache.cordova.filetransfer.FileTransfer$3
The affected classes define an empty checkServerTrusted() method, thereby disabling SSL validation and hence accepting any SSL certificate as valid, if the class is used when connecting to a server over SSL/TLS.
Regardless of whether affected classes are used or not at runtime, Google Play is blocking any App that defines such an insecure X509TrustManager as detailed on Google's support page(https://support.google.com/faqs/answer/6346016):
"Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager."
Additionally, Google's presentation at the Black Hat 2016 conference (https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf) details (on slide 45) the vulnerable code found in the vulnerable classes, that Google Play will ban:
// Dangerous code: do not do this!
SLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[] {
new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) {}
public void checkServerTrusted(X509Certificate[] chain, String authType) {}
public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{}; } } }, null);
HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
Lastly, a list of Apps that have already been blocked by Google Play because of this issue can be found here(https://stackoverflow.com/search?q=%5Bandroid-security%5D+checkServerTrusted).
