Reputation: 2705
Android X509TrustManager app rejected google play
Application is working fine, while uploading application it raised below error in Google Play Consol
Vulnerability TrustManager To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. To confirm you’ve updated correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning. For additional information and next steps, please see this Google Help Center article.
i have used below code for API Call
DefaultHttpClient client=null;
try {
SchemeRegistry schemeRegistry = new SchemeRegistry();
// http scheme
schemeRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// https scheme
schemeRegistry.register(new Scheme("https", new EasySSLSocketFactory(), 443));
HttpParams mHttpParams = new BasicHttpParams();
mHttpParams.setParameter(ConnManagerPNames.MAX_TOTAL_CONNECTIONS, 30);
mHttpParams.setParameter(ConnManagerPNames.MAX_CONNECTIONS_PER_ROUTE, new ConnPerRouteBean(30));
mHttpParams.setParameter(HttpProtocolParams.USE_EXPECT_CONTINUE, false);
HttpProtocolParams.setVersion(mHttpParams, HttpVersion.HTTP_1_1);
ClientConnectionManager cm = new ThreadSafeClientConnManager(mHttpParams, schemeRegistry);
client = new DefaultHttpClient(cm, mHttpParams);
} catch (Exception e) {
e.printStackTrace();
client = new DefaultHttpClient();
}
My url is an IP based with HTTP
i have used below for X509TrustManager x509trustmanager-from-google trusting-all-certificates-using-httpclient
Upvotes: 2
Views: 3354
Answers (2)
Reputation: 2705
Finally issue is due to ACRA lib i have remove ACRA & Flurry
App upload successfully on google play
Answer
Upvotes: 0
Reputation: 20426
This is a warning saying, that you use an insecure X509TrustManager with empty checkClientTrusted() and checkServerTrusted() methods. Those methods suppose to check client and server certificates as a part of HTTPS contract and throw an exception if given certificates are invalid. By keeping those methods empty you kinda break the whole HTTPS security, because your code will accept literally any certificates. For instance, your app is vulnerable to a man in the middle attack. Such empty implementation is almost the same as a plain HTTP one.
Using SSLSocketFactory.getSocketFactory() instead of new EasySSLSocketFactory() would solve the issue. The server your app connects must have a valid CA-signed certificate.
Upvotes: 4
Related Questions
- How can I close/hide the Android soft keyboard programmatically?
- How to stop EditText from gaining focus when an activity starts in Android?
- Proper use cases for Android UserManager.isUserAGoat()?
- Why is the Android emulator so slow? How can we speed up the Android emulator?
- What is 'Context' on Android?
- Is there a way to run Python on Android?
- Is there a unique Android device ID?
- How to lazy load images in ListView in Android
- "Debug certificate expired" error in Eclipse Android plugins
- Unsafe implementation of the interface X509TrustManager - Google Play