[jira] [Created] (CB-12809) Google Play Blocker: Unsafe SSL TrustManager Defined

[Aleksandr Movsesyan (JIRA)]

Aleksandr Movsesyan created CB-12809:
----------------------------------------

             Summary: Google Play Blocker: Unsafe SSL TrustManager Defined
                 Key: CB-12809
                 URL: https://issues.apache.org/jira/browse/CB-12809
             Project: Apache Cordova
          Issue Type: Bug
          Components: cordova-plugin-file-transfer
    Affects Versions: 1.6.1
            Reporter: Aleksandr Movsesyan
            Priority: Critical


We are using a security tool that reported this issue.

The following Java classes defined within the App define a custom 
(https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html) 
X509TrustManager that does not validate SSL certificates:

org.apache.cordova.filetransfer.FileTransfer$3
The affected classes define an empty checkServerTrusted() method, thereby 
disabling SSL validation and hence accepting any SSL certificate as valid, if 
the class is used when connecting to a server over SSL/TLS.

Regardless of whether affected classes are used or not at runtime, Google Play 
is blocking any App that defines such an insecure X509TrustManager as detailed 
on Google's support page(https://support.google.com/faqs/answer/6346016):

"Beginning May 17, 2016, Google Play will block publishing of any new apps or 
updates containing the unsafe implementation of the interface X509TrustManager."

Additionally, Google's presentation at the Black Hat 2016 conference 
(https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf)
 details (on slide 45) the vulnerable code found in the vulnerable classes, 
that Google Play will ban:

// Dangerous code: do not do this!
SLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[] {
    new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String 
authType) {} 
        public void checkServerTrusted(X509Certificate[] chain, String  
authType) {} 
        public X509Certificate[] getAcceptedIssuers() {return new 
X509Certificate[]{}; } } }, null);
HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
Lastly, a list of Apps that have already been blocked by Google Play because of 
this issue can be found 
here(https://stackoverflow.com/search?q=%5Bandroid-security%5D+checkServerTrusted).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org