How to fix apps containing an unsafe implementation of TrustManager

This information is intended for developers of apps that contain an unsafe implementation of the interface X509TrustManager.

What’s happening

One or more of your apps contain an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. Please review the detailed steps below to fix the issue with your apps. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

  1. Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
  2. Update your affected apps and fix the vulnerability.
  3. Submit the updated versions of your affected apps.

 

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. In particular, please be aware of the following pitfalls:

  1. Ensure that the Exceptions raised by checkServerTrusted are not caught within the method. This would cause checkServerTrusted to exit normally, leading the app to trust an harmful certificate.
  2. Do not use checkValidity for purposes of vetting the server certificate. checkValidity checks if a certificate is unexpired, and cannot tell if a certificate should not be trusted.

You can also use a network security configuration to customize your app’s certificate behavior in a less error-prone way.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security” and “TrustManager.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Was this helpful?
How can we improve it?