Android X509TrustManager app rejected google play

Question

Application is working fine, while uploading application it raised below error in Google Play Consol

Vulnerability TrustManager To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. To confirm you’ve updated correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning. For additional information and next steps, please see this Google Help Center article.

i have used below code for API Call

    DefaultHttpClient client=null;
    try {
        SchemeRegistry schemeRegistry = new SchemeRegistry();
        // http scheme
        schemeRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        // https scheme
        schemeRegistry.register(new Scheme("https", new EasySSLSocketFactory(), 443));

        HttpParams mHttpParams = new BasicHttpParams();
        mHttpParams.setParameter(ConnManagerPNames.MAX_TOTAL_CONNECTIONS, 30);
        mHttpParams.setParameter(ConnManagerPNames.MAX_CONNECTIONS_PER_ROUTE, new ConnPerRouteBean(30));
        mHttpParams.setParameter(HttpProtocolParams.USE_EXPECT_CONTINUE, false);
        HttpProtocolParams.setVersion(mHttpParams, HttpVersion.HTTP_1_1);
        ClientConnectionManager cm = new ThreadSafeClientConnManager(mHttpParams, schemeRegistry);
        client = new DefaultHttpClient(cm, mHttpParams);
    } catch (Exception e) {
        e.printStackTrace();
        client = new DefaultHttpClient();
    }

My url is an IP based with HTTP

i have used below for X509TrustManager x509trustmanager-from-google trusting-all-certificates-using-httpclient

I would start by getting rid of your `SchemeRegistry` `register()` calls and the supporting classes (e.g., `EasySSLSocketFactory`). — CommonsWare, Jun 03 '16 at 18:32

sergej shafarenka · Answer 1 · 2016-06-03T18:59:51.347

This is a warning saying, that you use an insecure X509TrustManager with empty checkClientTrusted() and checkServerTrusted() methods. Those methods suppose to check client and server certificates as a part of HTTPS contract and throw an exception if given certificates are invalid. By keeping those methods empty you kinda break the whole HTTPS security, because your code will accept literally any certificates. For instance, your app is vulnerable to a man in the middle attack. Such empty implementation is almost the same as a plain HTTP one.

Using SSLSocketFactory.getSocketFactory() instead of new EasySSLSocketFactory() would solve the issue. The server your app connects must have a valid CA-signed certificate.

Thanks for this but issue is due to ACRA and Flurry i have remove both library now its fine to upload — PankajAndroid, Jun 07 '16 at 05:20

score 0 · Accepted Answer · edited May 23 '17 at 12:22

0

Finally issue is due to ACRA lib i have remove ACRA & Flurry
App upload successfully on google play Answer

edited May 23 '17 at 12:22

Community

1
1

answered Jun 07 '16 at 05:24

PankajAndroid

2,689
3
27
41

Android X509TrustManager app rejected google play

2 Answers2