5

First off, I should say, I'm mainly a PHP developer. I have a relatively aged app on Google Play that was built targeting API 15 back at the end of 2012.

Have reviewed others' questions here relating to the unsafe implementation of the interface X509TrustManager alert from Google Play but none seem to apply to me. I am not making requests over SSL nor am I using any external library beyond Google Play Services.

The alert says the issue is with apache.http. Specifically it says:

Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Centre article for details, including the deadline for fixing the vulnerability.

Since I am not using SSL connections I'm not sure how to proceed. Is the fact that I am not using SSL for connections what Google has a problem with? The data I am exchanging with the server couldn't really be deemed sensitive - lost and found pet listings.

The website the app relates to is voluntary, self-funded and on shared hosting so adding SSL is something I would prefer not to be forced into at this time. Is implementing SSL my only way forward here?

Joe
  • 69
  • 6
  • Even if you don't explicitly use HTTPS, your server might theoretically redirect to HTTPS. – kichik Feb 19 '16 at 18:50
  • No, there is no certificate installed on the domain I'm interacting with. – Joe Feb 19 '16 at 18:58
  • "The alert says the issue is with apache.http.httpclient" -- please post the exact text of the message, including the exact name of the class in question. There is no class named `apache.http.httpclient`. Also, how old is your Play Services? If it is from 2012, it's not out of the question that the problem comes from Play Services itself, one that got fixed in the past ~3.5 years. – CommonsWare Feb 19 '16 at 19:00
  • Have added the exact alert text to the question and yes, you're correct, I misnamed the class mentioned. I was wondering about the old Play Services jar myself - it's being used to provide mapping support. However, I originally built this project in Eclipse and I'm unsure how to update that. Currently the Google Play Services are referenced from that Google Play Library project in my workspace. Do I need to remove, update and re-reference that project or can I just update the jar file? – Joe Feb 19 '16 at 20:38
  • Well, after a lot of experimentation I managed to update the Play Services library by simply removing the physical project directory from my workspace and then importing in the current version of the project, checking 'copy project to workspace' in the process. At first it wasn't building but then I changed the target SDK in the project properties to 21 and that permitted the build to go fine. However, that has resulted in a bunch of other errors as some of the map calls I was making are depreciated so I will need to work through those before`i see if the old Play Services lib was the issue. – Joe Feb 20 '16 at 04:34

1 Answers1

1

CommonsWare was correct. Updating the Google Play Services has caused the alert to disappear.

Joe
  • 69
  • 6
  • you mean, it has nothing to do with X509TrustManager, but with this lib, being used, that is, compile files('libs/google-play-services.jar')? – Narendra Singh Nov 17 '16 at 06:29