In February, a number of Titanium developers received Google Security Alerts for their apps. To learn more about this alert, see our initial blog post.
TL;DR Owing to a somewhat simplistic security scan, Google has flagged an implementation of the X509TrustManager interface in a Titanium SDK class as unsafe. This class is by default not used in production apps, though it remains present in the SDK. A developer has to publish a development build or manually disable SSL certification validation in order to use this class in production. If the class is not used, there is no actual security issue. Regardless, Google will not accept new apps or updates to existing apps that trigger this security alert, beginning May 17, 2016.
Affected Titanium SDK versions
We have uploaded APKs to Google Play to test all latest major and minor releases since 3.5.1.GA.These were all production builds that did not manually disable SSL certification validation. We manually targeted Android API level 22 for 5.0.2.GA and older. Titanium 5.1.2.GA and later default to API level 23.
These tests showed that Google only raises the Security Alert for 4.1.1.GA, 4.0.0.GA and 3.5.1.GA. Titanium 5.0.2.GA, 5.1.2.GA and 5.2.0.GA do not. If you have seen otherwise, please leave a comment on the JIRA ticket. Make sure you did build for production and manually targeted API level 22 for 5.0.2.GA.
What we’ve done
We have merged a fix to the 4_1_X, 4_0_X and 3_5_X branches that removes the affected class. The property to manually disable SSL certification will no longer have any effect.
What you will need to do
If you have been publishing development builds or manually disabled SSL certification validation, you will need to make sure the SSL certification of your servers are in order so you no longer need it to be disabled. For example, use SSL Labs and make sure you check the Handshake Simulation results for the Android versions you need to support.
For affected apps and new apps, build using Titanium 5.x or a patched SDK and upload the APK. Wait for 24 hours to be sure Google’s security scan has run and verify no Security Alert has been raised.