Appcelerator Blog

The Leading Resource for All Things Mobile

Google Security Alert: Unsafe implementation of the interface X509TrustManager

14 Flares 14 Flares ×

UPDATE 3/9: Read our latest update on this issue.

If you have a Titanium Android app in Google Play, you might receive an email from the Google Play Team or see a Security alert in the Google Play Developer Console.

TL;DR Google detects a security issue in a Titanium class that by default is not actually used in production, but still there in the source code. We will have a Titanium SDK with a fix and instructions ready for you in time.

Keep Calm and Code Strong

The Alert

The email you might receive from Google reads:

Hello Google Play Developer,

Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”

Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Centre.

The email ends with a list of affected apps, versions and classes. Most likely, the only class listed will be

WARNING: If other classes are listed as well, these will be part of (third party) modules your app uses. Please work with the maintainers of those modules to get these fixed as well.

The Issue

We are tracking this issue on JIRA under TIMOB-20431. Please watch the ticket to get notified of updates.

The class is what Google warns for. This class is used by Ti.Network.HTTPClient, but only when validatesSecurityCertificate is false. In production, this defaults to true.

WARNING: If for some reason you use the validatesSecurityCertificate property to set disable validation in production, start preparing your app and APIs now to no longer need this.

The class itself is included in production builds regardless of this settings, which is why Google still detects it as a security issue.

The Solution

We will have a Titanium SDK update ready in time for the May 17 deadline. From that day on, new apps and updates will need to be build with this or later versions. Until then you can continue to build with the existing versions and ignore the warning.

TIP: Now would be a good time to get your apps up to date with the current Titanium SDK version. The latest GA is 5.1.2, with 5.2.0 coming soon. If you update now, it will be a one-liner once the fix is there.

So again: Keep Calm and Code Strong. We’ve got your back.

14 Flares Twitter 0 Facebook 0 Google+ 3 LinkedIn 11 Email -- 14 Flares ×


  1. Joseph

    Yep – I’ve received this email for two Apps on Google Play. Thanks for the notice. Will keep an eye out for the fix. Thanks!

  2. Olga

    This is very interesting… I’m using Ti.Network.HTTPClient in my apps, and never I’ve set the validatesSecurityCertificate to false. When I got the notice from Google, I’ve resubmitted the app, explicitly setting validatesSecurityCertificate = true in all places. I did the same for all the webViews used in the app. Never the less, the alert came for the new version as well.

    • The default is true already and like we explain in the blog post, it doesn’t matter what you set it to. Google simply detects the presence of the class – regardless of if you use it.

  3. Raymond Verbruggen

    I received this email as well for one app. However I have to stick to Ti-SDK 3.5.1 for this app because it would involve a lot of testing which my customer is not willing to create budget for.
    Could you explain how to solve this issue for Ti-SDK 3.5.1?

    • Hi Raymond, we are still in the process of fixing this issue. For SDK releases that we will not provide a new patch version for (and we have not decided yet for which releases we will) you will be able to patch and custom build a fix version yourself.

      • Allan

        I have the same issue. Last time I tried 5.x my app no longer worked (don’t recall the issue off the top of my head but I just couldn’t get it to work) so I’m using 3.5.2. My business is dependent on this app so I surely hope you will be making a fix for 3.5.2 as well. All these backward-incompatible updates and changes in the mobile app world is such a pain…

  4. Leander Rodrigo

    Thanks for the notification. I have 1 APP that need to works in android 4.0.3 until newest android. For it i need to use the Titanium SDK 3.5.2, now with this google alert its will be needed to update Titanium SDK or is it only optional?

    • Hi Leander. Titanium 5.x has minSDKVersion 14, which is Android 4.0, so you can upgrade to the latest GA and still support Android 4.0.3.

      • Narender

        Thanks for update. Titanium 5.x has minSDKVersion 14, which is Android 4.0 am using 3.5.1 with minSDKVersion 10 now with this google alert its will be needed to update Titanium SDK or is it only optional?

        • We are looking into the possibility of doing a patch release for 3.5.1 as well. If not, then at least you’ll be able to do a custom build yourself using a patch provided by us. We’ll have information soon.

  5. Hello;
    So; Google will remove my app from store because of this?
    I’m using version 3.2.
    What’s going to happen for this version?

    • Hi Darwin,

      No. Google will not remove any apps:

      Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

      It will not accept new apps or updates for existing apps that have the class they consider insecure (even when it is not used at all).

      • Even from the play store?
        They said that we may be breaking the developer agreement.
        Could it block Push Notifications Services?

        • Where did you read is is breaking developer agreement? Their FAQ does not mention that not that they will block PNS.

  6. When will the patch available?
    Is there a Launch Date?

  7. We moved our app to GA 5.2.
    If I understood; that version brings the patch?

    • It does not, as our tests have shown that 5.2 as it is does not raise the security alert. Please report if you see otherwise.

Comments are closed.

Sign up for updates!

Become a mobile leader. Take the first step to scale mobile innovation throughout your enterprise.
Get in touch
computer and tablet showing Appcelerator software
Start free, grow from there.
14 Flares Twitter 0 Facebook 0 Google+ 3 LinkedIn 11 Email -- 14 Flares ×