You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/08/21 16:44:00 UTC
[jira] [Commented] (CB-12809) Google Play Blocker: Unsafe SSL
TrustManager Defined
[ https://issues.apache.org/jira/browse/CB-12809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16135412#comment-16135412 ]
ASF GitHub Bot commented on CB-12809:
-------------------------------------
GitHub user macdonst opened a pull request:
https://github.com/apache/cordova-plugin-file-transfer/pull/187
CB-12809: Google Play Blocker: Unsafe SSL TrustManager Defined
### Platforms affected
Android
### What does this PR do?
It removes the `trustAllHosts` parameter from the Android FileTransfer code. Google will start [blocking apps from the PlayStore](https://support.google.com/faqs/answer/6346016) that include unsafe implementations of the TrustManager.
### What testing has been done on this change?
I've run a number of successful manual download tests after the change where the parameters are:
```
download(uri, fileURL, win, fail, false, options);
download(uri, fileURL, win, fail, true, options);
download(uri, fileURL, win, fail, options);
download(uri, fileURL, win, fail);
```
I ran the automatic test coverage and before my changes 25 tests failed and 2 tests were pending. After my changes 25 tests failed and 2 tests were pending.
### Checklist
- [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html) in the JIRA database
- [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file paths", where CB-xxxx is the JIRA ID & "android" is the platform affected.
- [ ] Added automated test coverage as appropriate for this change.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/macdonst/cordova-plugin-file-transfer master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cordova-plugin-file-transfer/pull/187.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #187
----
commit 751d229d0fdc9c36b63979dd66754a212a020c9a
Author: Simon MacDonald <si...@gmail.com>
Date: 2017-08-21T15:42:25Z
CB-12809: Google Play Blocker: Unsafe SSL TrustManager Defined
----
> Google Play Blocker: Unsafe SSL TrustManager Defined
> ----------------------------------------------------
>
> Key: CB-12809
> URL: https://issues.apache.org/jira/browse/CB-12809
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-plugin-file-transfer
> Affects Versions: 1.6.1
> Reporter: Aleksandr Movsesyan
> Priority: Critical
> Labels: android
>
> We are using a security tool that reported this issue.
> The following Java classes defined within the App define a custom (https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html) X509TrustManager that does not validate SSL certificates:
> org.apache.cordova.filetransfer.FileTransfer$3
> The affected classes define an empty checkServerTrusted() method, thereby disabling SSL validation and hence accepting any SSL certificate as valid, if the class is used when connecting to a server over SSL/TLS.
> Regardless of whether affected classes are used or not at runtime, Google Play is blocking any App that defines such an insecure X509TrustManager as detailed on Google's support page(https://support.google.com/faqs/answer/6346016):
> "Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager."
> Additionally, Google's presentation at the Black Hat 2016 conference (https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf) details (on slide 45) the vulnerable code found in the vulnerable classes, that Google Play will ban:
> // Dangerous code: do not do this!
> SLContext ctx = SSLContext.getInstance("TLS");
> ctx.init(null, new TrustManager[] {
> new X509TrustManager() {
> public void checkClientTrusted(X509Certificate[] chain, String authType) {}
> public void checkServerTrusted(X509Certificate[] chain, String authType) {}
> public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{}; } } }, null);
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> Lastly, a list of Apps that have already been blocked by Google Play because of this issue can be found here(https://stackoverflow.com/search?q=%5Bandroid-security%5D+checkServerTrusted).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org