Google Security Alert: Unsafe implementation of the interface X509TrustManager

UPDATE 3/9: Read our latest update on this issue.
If you have a Titanium Android app in Google Play, you might receive an email from the Google Play Team or see a Security alert in the Google Play Developer Console.
TL;DR Google detects a security issue in a Titanium class that by default is not actually used in production, but still there in the source code. We will have a Titanium SDK with a fix and instructions ready for you in time.
Keep Calm and Code Strong

The Alert

The email you might receive from Google reads:

Hello Google Play Developer,
Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”
Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.
To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Centre.

The email ends with a list of affected apps, versions and classes. Most likely, the only class listed will be

WARNING: If other classes are listed as well, these will be part of (third party) modules your app uses. Please work with the maintainers of those modules to get these fixed as well.

The Issue

We are tracking this issue on JIRA under TIMOB-20431. Please watch the ticket to get notified of updates.
The class is what Google warns for. This class is used by Ti.Network.HTTPClient, but only when validatesSecurityCertificate is false. In production, this defaults to true.

WARNING: If for some reason you use the validatesSecurityCertificate property to set disable validation in production, start preparing your app and APIs now to no longer need this.

The class itself has included in production builds regardless of these settings, which is why Google still detects it as a security issue.

The Solution

We will have a Titanium SDK update ready in time for the May 17 deadline. From that day on, new apps and updates will need to be build with this or later versions. Until then you can continue to build with the existing versions and ignore the warning.

TIP: Now would be a good time to get your apps up to date with the current Titanium SDK version. The latest GA is 5.1.2, with 5.2.0 coming soon. If you update now, it will be a one-liner once the fix is there.

So again: Keep Calm and Code Strong. We’ve got your back.

Previous articleFrom Farm to Mobile: Kakaxi Links Food to the Story Behind It
Next articleTitanium 5.2.0 Sample App
Developer Evangelist


  1. This is very interesting… I’m using Ti.Network.HTTPClient in my apps, and never I’ve set the validatesSecurityCertificate to false. When I got the notice from Google, I’ve resubmitted the app, explicitly setting validatesSecurityCertificate = true in all places. I did the same for all the webViews used in the app. Never the less, the alert came for the new version as well.

  2. I received this email as well for one app. However I have to stick to Ti-SDK 3.5.1 for this app because it would involve a lot of testing which my customer is not willing to create budget for.
    Could you explain how to solve this issue for Ti-SDK 3.5.1?

    • Hi Raymond, we are still in the process of fixing this issue. For SDK releases that we will not provide a new patch version for (and we have not decided yet for which releases we will) you will be able to patch and custom build a fix version yourself.

      • I have the same issue. Last time I tried 5.x my app no longer worked (don’t recall the issue off the top of my head but I just couldn’t get it to work) so I’m using 3.5.2. My business is dependent on this app so I surely hope you will be making a fix for 3.5.2 as well. All these backward-incompatible updates and changes in the mobile app world is such a pain…

  3. Thanks for the notification. I have 1 APP that need to works in android 4.0.3 until newest android. For it i need to use the Titanium SDK 3.5.2, now with this google alert its will be needed to update Titanium SDK or is it only optional?

    • Hi Darwin,
      No. Google will not remove any apps:

      Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

      It will not accept new apps or updates for existing apps that have the class they consider insecure (even when it is not used at all).


Please enter your comment!
Please enter your name here