cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (CB-12809) Google Play Blocker: Unsafe SSL TrustManager Defined
Date Mon, 21 Aug 2017 16:44:00 GMT


ASF GitHub Bot commented on CB-12809:

GitHub user macdonst opened a pull request:

    CB-12809: Google Play Blocker: Unsafe SSL TrustManager Defined

    ### Platforms affected
    ### What does this PR do?
    It removes the `trustAllHosts` parameter from the Android FileTransfer code. Google will
start [blocking apps from the PlayStore]( that
include unsafe implementations of the TrustManager.
    ### What testing has been done on this change?
    I've run a number of successful manual download tests after the change where the parameters
    download(uri, fileURL, win, fail, false, options);
    download(uri, fileURL, win, fail, true, options);
    download(uri, fileURL, win, fail, options);
    download(uri, fileURL, win, fail);
    I ran the automatic test coverage and before my changes 25 tests failed and 2 tests were
pending. After my changes 25 tests failed and 2 tests were pending.
    ### Checklist
    - [x] [Reported an issue]( in the JIRA
    - [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file
paths", where CB-xxxx is the JIRA ID & "android" is the platform affected.
    - [ ] Added automated test coverage as appropriate for this change.

You can merge this pull request into a Git repository by running:

    $ git pull master

Alternatively you can review and apply these changes as the patch at:

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #187
commit 751d229d0fdc9c36b63979dd66754a212a020c9a
Author: Simon MacDonald <>
Date:   2017-08-21T15:42:25Z

    CB-12809: Google Play Blocker: Unsafe SSL TrustManager Defined


> Google Play Blocker: Unsafe SSL TrustManager Defined
> ----------------------------------------------------
>                 Key: CB-12809
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-plugin-file-transfer
>    Affects Versions: 1.6.1
>            Reporter: Aleksandr Movsesyan
>            Priority: Critical
>              Labels: android
> We are using a security tool that reported this issue.
> The following Java classes defined within the App define a custom (
X509TrustManager that does not validate SSL certificates:
> org.apache.cordova.filetransfer.FileTransfer$3
> The affected classes define an empty checkServerTrusted() method, thereby disabling SSL
validation and hence accepting any SSL certificate as valid, if the class is used when connecting
to a server over SSL/TLS.
> Regardless of whether affected classes are used or not at runtime, Google Play is blocking
any App that defines such an insecure X509TrustManager as detailed on Google's support page(
> "Beginning May 17, 2016, Google Play will block publishing of any new apps or updates
containing the unsafe implementation of the interface X509TrustManager."
> Additionally, Google's presentation at the Black Hat 2016 conference (
details (on slide 45) the vulnerable code found in the vulnerable classes, that Google Play
will ban:
> // Dangerous code: do not do this!
> SLContext ctx = SSLContext.getInstance("TLS");
> ctx.init(null, new TrustManager[] {
>     new X509TrustManager() {
>         public void checkClientTrusted(X509Certificate[] chain, String authType) {} 
>         public void checkServerTrusted(X509Certificate[] chain, String  authType) {}

>         public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};
} } }, null);
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> Lastly, a list of Apps that have already been blocked by Google Play because of this
issue can be found here(

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message