API Development

Google Security Alert: Unsafe implementation of the interface X509TrustManager

UPDATE 3/9: Read our latest update on this issue.
If you have a Titanium Android app in Google Play, you might receive an email from the Google Play Team or see a Security alert in the Google Play Developer Console.
TL;DR Google detects a security issue in a Titanium class that by default is not actually used in production, but still there in the source code. We will have a Titanium SDK with a fix and instructions ready for you in time.
Keep Calm and Code Strong

The Alert

The email you might receive from Google reads:

Hello Google Play Developer,
Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”
Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.
To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Centre.

The email ends with a list of affected apps, versions and classes. Most likely, the only class listed will be ti.modules.titanium.network.NonValidatingTrustManager.

WARNING: If other classes are listed as well, these will be part of (third party) modules your app uses. Please work with the maintainers of those modules to get these fixed as well.

The Issue

We are tracking this issue on JIRA under TIMOB-20431. Please watch the ticket to get notified of updates.
The class ti.modules.titanium.network.NonValidatingTrustManager is what Google warns for. This class is used by Ti.Network.HTTPClient, but only when validatesSecurityCertificate is false. In production, this defaults to true.

WARNING: If for some reason you use the validatesSecurityCertificate property to set disable validation in production, start preparing your app and APIs now to no longer need this.

The class itself has included in production builds regardless of these settings, which is why Google still detects it as a security issue.

The Solution

We will have a Titanium SDK update ready in time for the May 17 deadline. From that day on, new apps and updates will need to be build with this or later versions. Until then you can continue to build with the existing versions and ignore the warning.

TIP: Now would be a good time to get your apps up to date with the current Titanium SDK version. The latest GA is 5.1.2, with 5.2.0 coming soon. If you update now, it will be a one-liner once the fix is there.

So again: Keep Calm and Code Strong. We’ve got your back.