How to fix unsafe implementation of X509TrustManager in Android app

27,193

Solution 1

I have solved this using the following code:

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                try {
                    chain[0].checkValidity();
                } catch (Exception e) {
                    throw new CertificateException("Certificate not valid or trusted.");
                }
            }

Solution 2

Add the upgraded version of OKttps worked for me crashing in Android 10

implementation 'com.squareup.okhttp3:okhttp:4.8.0'

Solution 3

If you encounter this from external library you're using, check if appache libraray is the cause of it.

For me apache library caused the error : i was using deprecated class - MultipartEntity. This class uses SSLContextBuilder which uses TrustManagerDelegate. TrustManagerDelegate implements X509TrustManager, which cause "unsafe implementation of TrustManager" error when uploading application to google play store.

The solution is : instead of deprecated MultipartEntity class, use MultipartEntityBuilder.

For example :

MultipartEntity httpMultipart = new MultipartEntity();
String contentType = httpMultipart.getContentType().getValue();

Will be replaced by :

MultipartEntityBuilder httpMultipart = new MultipartEntityBuilder();
String contentType = httpMultipart.build().getContentType().getValue();

27,193

Nabeel

Updated on July 29, 2020

Comments

Nabeel almost 4 years
Google has advised that I have an unsafe implementation of the interface X509TrustManager in my Android application and need to change my code as follows:

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”

How can the following code be modified to fix the above issue?
```
public EasySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    super(truststore);

    TrustManager tm = new X509TrustManager()  {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    mContext.init(null, new TrustManager[] { tm }, null);
}
```
- zys over 8 years
  
  I also meet this problem,do you have a solution？
- CommonsWare over 8 years
  
  "How can the following code be modified to fix the above issue?" -- you delete it.
Nabeel over 8 years

Thanks, but please see my answer for a simpler fix. The warning from Google has disappeared from Play Developer console.
anddev over 8 years

@Glowcall, at where I should write above code in application to solved error? I mean under which activity?
Nabeel over 8 years

@anddev The affected activity/class depends on what Google referred to in the Email you were sent regarding this warning. Just find the relevant checkServerTrusted method in your source and replace it with the above; that should fix it.
zys over 8 years

see the solution that the link I puted
zys over 8 years

If the CA is a self-signed CA, this solution is not a good idea! some times we must accept self-signed CA
Yazazzello about 8 years

just one note: google doesn't check implementations of the interface X509TrustManager when app is in Beta or Alpha stage. Only prod and only five hours after publishing.
Sharp Edge almost 8 years

@Lollipop so is there a solution for self signed certificates ??
geekoraul almost 8 years

I implement the TrustManager to be able to work with the server on my development machine, bypassing all the certificate checks. Will adding this exception prevent me from sending requests to my development machine ?
Lane Rettig almost 8 years

> google doesn't check implementations of the interface X509TrustManager when app is in Beta or Alpha stage This is no longer true--I'm getting this error now for an app in alpha!
Nohus about 7 years

Don't use this very bad code! The code allows man-in-the-middle attacks and renders the entire point of SSL null. The checkValidity() method only checks if the certificate is not expired and nothing else, meaning this code will happily accept ANY not expired certificate whatsoever, even if the certificate is for another server and not signed by anything.
Nohus about 7 years

This is very bad and shouldn't be used for anything, if you have a self signed certificate then check that certificate, accepting anything makes SSL pointless.
Nabeel about 7 years

@Nohus, what is your solution then?
Nohus about 7 years

I will write my answer when I get some time in a day or two and let you know.
Hitesh Gehlot about 7 years

yes you are right i am also facing this same problem
Jeyaseelan over 6 years

Yes it is fine answer, you saved my time
Artanis over 5 years

does anyone know where is this exception is being caught?
Artanis over 5 years

does anyone know where is this exception is being caught?
Hardik Vasani over 4 years

find any solution if yes please share your ans with us!