cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (CB-12809) Google Play Blocker: Unsafe SSL TrustManager Defined
Date Fri, 12 May 2017 23:07:04 GMT


ASF GitHub Bot commented on CB-12809:

Github user amovsesy commented on the issue:
    @jcesarmobile, I understand, but this is violating Google's play ToS and it clearly states
that any new updates or apps using an unsafe implementation of TrustManager will be blocked. Given that, any apps using this code would
be in violation and could be blocked from the google store.

> Google Play Blocker: Unsafe SSL TrustManager Defined
> ----------------------------------------------------
>                 Key: CB-12809
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-plugin-file-transfer
>    Affects Versions: 1.6.1
>            Reporter: Aleksandr Movsesyan
>            Priority: Critical
>              Labels: android
> We are using a security tool that reported this issue.
> The following Java classes defined within the App define a custom (
X509TrustManager that does not validate SSL certificates:
> org.apache.cordova.filetransfer.FileTransfer$3
> The affected classes define an empty checkServerTrusted() method, thereby disabling SSL
validation and hence accepting any SSL certificate as valid, if the class is used when connecting
to a server over SSL/TLS.
> Regardless of whether affected classes are used or not at runtime, Google Play is blocking
any App that defines such an insecure X509TrustManager as detailed on Google's support page(
> "Beginning May 17, 2016, Google Play will block publishing of any new apps or updates
containing the unsafe implementation of the interface X509TrustManager."
> Additionally, Google's presentation at the Black Hat 2016 conference (
details (on slide 45) the vulnerable code found in the vulnerable classes, that Google Play
will ban:
> // Dangerous code: do not do this!
> SLContext ctx = SSLContext.getInstance("TLS");
> ctx.init(null, new TrustManager[] {
>     new X509TrustManager() {
>         public void checkClientTrusted(X509Certificate[] chain, String authType) {} 
>         public void checkServerTrusted(X509Certificate[] chain, String  authType) {}

>         public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};
} } }, null);
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> Lastly, a list of Apps that have already been blocked by Google Play because of this
issue can be found here(

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message