How to fix unsafe implementation of X509TrustManager in Android app
Solution 1
I have solved this using the following code:
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
chain[0].checkValidity();
} catch (Exception e) {
throw new CertificateException("Certificate not valid or trusted.");
}
}
Solution 2
Add the upgraded version of OKttps worked for me crashing in Android 10
implementation 'com.squareup.okhttp3:okhttp:4.8.0'
Solution 3
If you encounter this from external library you're using, check if appache libraray is the cause of it.
For me apache library caused the error : i was using deprecated class - MultipartEntity. This class uses SSLContextBuilder which uses TrustManagerDelegate. TrustManagerDelegate implements X509TrustManager, which cause "unsafe implementation of TrustManager" error when uploading application to google play store.
The solution is : instead of deprecated MultipartEntity class, use MultipartEntityBuilder.
For example :
MultipartEntity httpMultipart = new MultipartEntity();
String contentType = httpMultipart.getContentType().getValue();
Will be replaced by :
MultipartEntityBuilder httpMultipart = new MultipartEntityBuilder();
String contentType = httpMultipart.build().getContentType().getValue();
Related videos on Youtube
Nabeel
Updated on July 29, 2020Comments
-
Nabeel almost 4 years
Google has advised that I have an unsafe implementation of the interface X509TrustManager in my Android application and need to change my code as follows:
To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”
How can the following code be modified to fix the above issue?
public EasySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { super(truststore); TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return null; } }; mContext.init(null, new TrustManager[] { tm }, null); }
-
zys over 8 yearsI also meet this problem,do you have a solution?
-
CommonsWare over 8 years"How can the following code be modified to fix the above issue?" -- you delete it.
-
-
Nabeel over 8 yearsThanks, but please see my answer for a simpler fix. The warning from Google has disappeared from Play Developer console.
-
anddev over 8 years@Glowcall, at where I should write above code in application to solved error? I mean under which activity?
-
Nabeel over 8 years@anddev The affected activity/class depends on what Google referred to in the Email you were sent regarding this warning. Just find the relevant checkServerTrusted method in your source and replace it with the above; that should fix it.
-
zys over 8 yearssee the solution that the link I puted
-
zys over 8 yearsIf the CA is a self-signed CA, this solution is not a good idea! some times we must accept self-signed CA
-
Yazazzello about 8 yearsjust one note: google doesn't check implementations of the interface X509TrustManager when app is in Beta or Alpha stage. Only prod and only five hours after publishing.
-
Sharp Edge almost 8 years@Lollipop so is there a solution for self signed certificates ??
-
geekoraul almost 8 yearsI implement the TrustManager to be able to work with the server on my development machine, bypassing all the certificate checks. Will adding this exception prevent me from sending requests to my development machine ?
-
Lane Rettig almost 8 years> google doesn't check implementations of the interface X509TrustManager when app is in Beta or Alpha stage This is no longer true--I'm getting this error now for an app in alpha!
-
Nohus about 7 yearsDon't use this very bad code! The code allows man-in-the-middle attacks and renders the entire point of SSL null. The
checkValidity()
method only checks if the certificate is not expired and nothing else, meaning this code will happily accept ANY not expired certificate whatsoever, even if the certificate is for another server and not signed by anything. -
Nohus about 7 yearsThis is very bad and shouldn't be used for anything, if you have a self signed certificate then check that certificate, accepting anything makes SSL pointless.
-
Nabeel about 7 years@Nohus, what is your solution then?
-
Nohus about 7 yearsI will write my answer when I get some time in a day or two and let you know.
-
Hitesh Gehlot about 7 yearsyes you are right i am also facing this same problem
-
Jeyaseelan over 6 yearsYes it is fine answer, you saved my time
-
Artanis over 5 yearsdoes anyone know where is this exception is being caught?
-
Artanis over 5 yearsdoes anyone know where is this exception is being caught?
-
Hardik Vasani over 4 yearsfind any solution if yes please share your ans with us!