3

I am trying to make my Android apps comply with Android's new policy of having secure apps per this requirement and instructions.

1) I first added SSL and https to the urls in my app 2) Then I started using the class HttpsURLConnection instead of HttpURLConnection

Here is an example of remote call that I use:

   public void sendFeedback(String name , String email , String password ) 
   {  
        String[] params = new String[] { "https://www.problemio.com/auth/create_profile_mobile.php", name , email , password };

        DownloadWebPageTask task = new DownloadWebPageTask();
        task.execute(params);        
   }

   public class DownloadWebPageTask extends AsyncTask<String, Void, String> 
   {       
        private boolean connectionError = false;


     @Override
     protected void onPreExecute( ) 
     {
          dialog = new Dialog(CreateProfileActivity.this);

          dialog.setContentView(R.layout.please_wait);
          dialog.setTitle("Creating Profile");

          TextView text = (TextView) dialog.findViewById(R.id.please_wait_text);
          text.setText("Please wait while your profile is created... ");
          dialog.show();
     }             

    @Override
    protected String doInBackground(String... theParams) 
    {
        String myUrl = theParams[0];
        final String name = theParams[1];
        final String email = theParams[2];
        final String password = theParams[3];

        String charset = "UTF-8";                       
        String response = null;

        try 
        {               
            String query = String.format("name=%s&email=%s&password=%s", 
                     URLEncoder.encode(name, charset), 
                     URLEncoder.encode(email, charset), 
                     URLEncoder.encode(password, charset));

            final URL url = new URL( myUrl + "?" + query );

            final HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

            conn.setDoOutput(true); 
            conn.setRequestMethod("POST");

            conn.setDoOutput(true);

            conn.setUseCaches(false);

            conn.connect();

            final InputStream is = conn.getInputStream();
            final byte[] buffer = new byte[8196];
            int readCount;
            final StringBuilder builder = new StringBuilder();
            while ((readCount = is.read(buffer)) > -1) 
            {
                builder.append(new String(buffer, 0, readCount));
            }

            response = builder.toString();      
        } 
        catch (Exception e) 
        {
              connectionError = true;
        }

        return response;
    }

    @Override
    protected void onPostExecute(String result) 
    {       
        // Some code

            // Make an intent to go to the home screen
            Intent myIntent = new Intent(CreateProfileActivity.this, MainActivity.class);
            CreateProfileActivity.this.startActivity(myIntent);
        }
    }    
}

But it didn't remove the warning sign on my developer console. Any idea what I am doing wrong and how to fix this?

Mojtaba Asgari
  • 1,242
  • 1
  • 13
  • 24
Genadinik
  • 18,153
  • 63
  • 185
  • 284
  • 1
    Why do you have an `X509TrustManager` in the first place? What is your scenario where you think that you need one? https://commonsware.com/blog/2016/02/22/about-x509trustmanager-emails.html – CommonsWare Apr 03 '16 at 22:28
  • @CommonsWare I read on that page that this solved for them ... personally I have little understanding of it http://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app – Genadinik Apr 03 '16 at 22:29
  • That's nice, but it does not answer my question. Why do you have an `X509TrustManager` in the first place? If you did not have one, and then started getting this message from the Play Store, your problem probably comes from [a third-party library](https://stackoverflow.com/questions/35490107/you-are-using-an-unsafe-implementation-of-x509trustmanager/35490317#35490317). If you had an `X509TrustManager` of your own before getting this message... why? – CommonsWare Apr 03 '16 at 22:32
  • @CommonsWare I don't have an X509TrustManager manager. – Genadinik Apr 03 '16 at 22:33
  • @CommonsWare I use doInBackground methods that make remote calls to my server and get data in return – Genadinik Apr 03 '16 at 22:34
  • I use this to call my server: public class DownloadWebPageTask extends AsyncTask – Genadinik Apr 03 '16 at 22:35
  • 2
    "I don't have an X509TrustManager" -- then your problem is coming from some third-party library. You will need to identify what that library is and see if there is some new version that fixes this problem. – CommonsWare Apr 03 '16 at 22:40
  • @CommonsWare I changed my original question to explain my situation better. Would you know what I can do in my current situation? Thanks! – Genadinik Apr 07 '16 at 15:11
  • As I noted, your problem is coming from some third-party library. You will need to identify what that library is and see if there is some new version that fixes this problem. Or, just update all of your third-party libraries to their latest versions, and see if the problem goes away. – CommonsWare Apr 07 '16 at 15:16
  • @CommonsWare I am not really using 3rd party libraries. It is a simple app. The only thing I am doing that I think can be problematic is making the remote server call. You don't think it is the remote server call issue? – Genadinik Apr 07 '16 at 16:41
  • "I am not really using 3rd party libraries" -- then I fail to see how Google can be complaining. The specific thing that Google is looking for is a custom `X509TrustManager` that has a broken implementation, such as the one in [this question](http://stackoverflow.com/questions/11857417/x509trustmanager-override-without-allowing-all-certs). Either you have one that you typed in yourself, or you have one from some library you are adding via `dependencies`, or Google's scanner is broken. – CommonsWare Apr 07 '16 at 17:00
  • @CommonsWare as always, you are a genious. I took out an old jar related to flurry and acra, and it got rid of the warning. If you want to add this as the answer I'll mark it as closed. – Genadinik Apr 10 '16 at 13:17

1 Answers1

3

Assuming Google's scanner is not broken, the X509TrustManager that it complains about can come from one of two places.

It could be from your own source code. Usually, you will remember doing this, because you typed in implements X509TrustManager in a class somewhere and override a bunch of icky-looking methods. A quick search through your source code should determine if this is the case.

If not, it is from some library. Many — hopefully most — libraries will have cleaned this up. However, it may be cleaned up only in newer editions of the library than you are presently using, either because you have an old version listed in your dependencies, or you are using a local JAR or something. The bad news is that tracking down the culprit here can be a pain, though it will be limited to libraries that need Internet access (e.g., recyclerview-v7 will not be a problem). The good news is that fixing the issue may be as simple as updating the library, or removing it if it is cruft from past implementations of your app that you are no longer using.

While I cannot speak regarding Flurry, this problem did exist in an old version of ACRA. There have been a variety of other fixes to ACRA in recent months, and so I would recommend that you upgrade to the current edition anyway.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491