cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-12809) Google Play Blocker: Unsafe SSL TrustManager Defined
Date Fri, 12 May 2017 23:07:04 GMT

    [ https://issues.apache.org/jira/browse/CB-12809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16008883#comment-16008883
] 

ASF GitHub Bot commented on CB-12809:
-------------------------------------

Github user amovsesy commented on the issue:

    https://github.com/apache/cordova-plugin-file-transfer/pull/179
  
    @jcesarmobile, I understand, but this is violating Google's play ToS and it clearly states
that any new updates or apps using an unsafe implementation of TrustManager will be blocked.
https://support.google.com/faqs/answer/6346016. Given that, any apps using this code would
be in violation and could be blocked from the google store.


> Google Play Blocker: Unsafe SSL TrustManager Defined
> ----------------------------------------------------
>
>                 Key: CB-12809
>                 URL: https://issues.apache.org/jira/browse/CB-12809
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-plugin-file-transfer
>    Affects Versions: 1.6.1
>            Reporter: Aleksandr Movsesyan
>            Priority: Critical
>              Labels: android
>
> We are using a security tool that reported this issue.
> The following Java classes defined within the App define a custom (https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html)
X509TrustManager that does not validate SSL certificates:
> org.apache.cordova.filetransfer.FileTransfer$3
> The affected classes define an empty checkServerTrusted() method, thereby disabling SSL
validation and hence accepting any SSL certificate as valid, if the class is used when connecting
to a server over SSL/TLS.
> Regardless of whether affected classes are used or not at runtime, Google Play is blocking
any App that defines such an insecure X509TrustManager as detailed on Google's support page(https://support.google.com/faqs/answer/6346016):
> "Beginning May 17, 2016, Google Play will block publishing of any new apps or updates
containing the unsafe implementation of the interface X509TrustManager."
> Additionally, Google's presentation at the Black Hat 2016 conference (https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf)
details (on slide 45) the vulnerable code found in the vulnerable classes, that Google Play
will ban:
> // Dangerous code: do not do this!
> SLContext ctx = SSLContext.getInstance("TLS");
> ctx.init(null, new TrustManager[] {
>     new X509TrustManager() {
>         public void checkClientTrusted(X509Certificate[] chain, String authType) {} 
>         public void checkServerTrusted(X509Certificate[] chain, String  authType) {}

>         public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};
} } }, null);
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> Lastly, a list of Apps that have already been blocked by Google Play because of this
issue can be found here(https://stackoverflow.com/search?q=%5Bandroid-security%5D+checkServerTrusted).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message