Appcelerator Blog

The Leading Resource for All Things Mobile

Update on recent Google Security Alerts

2 Flares 2 Flares ×

In February, a number of Titanium developers received Google Security Alerts for their apps. To learn more about this alert, see our initial blog post.

TL;DR Owing to a somewhat simplistic security scan, Google has flagged an implementation of the X509TrustManager interface in a Titanium SDK class as unsafe. This class is by default not used in production apps, though it remains present in the SDK. A developer has to publish a development build or manually disable SSL certification validation in order to use this class in production. If the class is not used, there is no actual security issue. Regardless, Google will not accept new apps or updates to existing apps that trigger this security alert, beginning May 17, 2016.

Affected Titanium SDK versions

We have uploaded APKs to Google Play to test all latest major and minor releases since 3.5.1.GA.These were all production builds that did not manually disable SSL certification validation. We manually targeted Android API level 22 for 5.0.2.GA and older. Titanium 5.1.2.GA and later default to API level 23.

These tests showed that Google only raises the Security Alert for 4.1.1.GA, 4.0.0.GA and 3.5.1.GA. Titanium 5.0.2.GA, 5.1.2.GA and 5.2.0.GA do not. If you have seen otherwise, please leave a comment on the JIRA ticket. Make sure you did build for production and manually targeted API level 22 for 5.0.2.GA.

What we’ve done

We have merged a fix to the 4_1_X, 4_0_X and 3_5_X branches that removes the affected class. The property to manually disable SSL certification will no longer have any effect.

You can get CI builds for these branches from our build server or patch your custom build:

Branch CI Build
4_1_X [appc] ti sdk install -b 4_1_X 4.1.1.v20160311104258
4_0_X [appc] ti sdk install -b 4_0_X 4.0.1.v20160311104206
3_5_X [appc] ti sdk install -b 3_5_X 3.5.2.v20160311103211

What you will need to do

If you have been publishing development builds or manually disabled SSL certification validation, you will need to make sure the SSL certification of your servers are in order so you no longer need it to be disabled. For example, use SSL Labs and make sure you check the Handshake Simulation results for the Android versions you need to support.

For affected apps and new apps, build using Titanium 5.x or a patched SDK and upload the APK. Wait for 24 hours to be sure Google’s security scan has run and verify no Security Alert has been raised.

2 Flares Twitter 0 Facebook 0 Google+ 0 LinkedIn 2 Email -- 2 Flares ×

17 Comments

  1. Jigs

    currrently i am using Titanium 3.2.2 GA so could you please help me how can i resolve this issue

    • Although 3.2.2.GA (March 2014) is no longer supported, you can apply the provided patches to the 3_2_X branch and do a custom build.

      • Jigs

        Hi Fokke

        i am trying to compiling my app using appcelerator – Titanium 5.2.0 build

        and it throws following error while installing app on device (android 4.0.4):

        java.lang.NoSuchMethodError: android.app.Activity.startActivity; Titanium 5.2.0

        i just created simple window in my application.

        code snippets:

        Titanium.UI.setBackgroundColor(‘#000′);

        var window = Titanium.UI.createWindow({
        backgroundColor:’red’
        });
        window.open();

        however if i implement tabgroup and open it then it works fine.

        could you please help me to resolve this issue.

        • Hi Jigs, unfortunately this is an Andoroid 4 specific regression that will be fixed in 5.2.1.

        • Kevin

          Hi Jigs,

          I had this issue last week on android devices. To resolve it I had to add the following arguments to open window command.

          mainWindow.open({
          activityEnterAnimation: Ti.Android.R.anim.fade_in,
          activityExitAnimation: Ti.Android.R.anim.fade_out
          });

          I hope this solves your problem.

  2. Jigs

    Hi,
    Thanks for all your help.

    Finally my running fine after the compilation with the Titanium SDK

    3_5_X [appc] ti sdk install -b 3_5_X 3.5.2.v20160311103211

    that are listed above.

    so by just compling with above sdk is this solve my Google Play Store security issue ? or i need to do something at code level ? my app contains https connection and while using Ti.Network.createHTTPClient() i am not using the properties “validatesSecureCertificate : Boolean ”

    please suggest me if i need to do anything with this properties
    also i am compling the app using run as device.

    • Jigs, if you haven’t been relying on that property or development builds that’s all you should need to do.

      • Jigs

        can you give me a hint on this “validatesSecureCertificate : Boolean ”
        is should be true or false ?

        • With the patched SDKs, it will be true regardless of the environment or if you’ve tried to manually set it to false. In Titanium SDK 5.0 and later it looks like setting it to false does not trigger the security alert, but really you shouldn’t. Whatever API you use should always have valid certificates.

  3. Jigs

    Hi
    after the uploading .apk to google play store account now it showing Affects APK version XX that is older one. so now i am not getting any affects alert for the new version that i uploaded but still getting the yellow security alert message so is that issue got resloved or not ?

    • If the new APK does not show a security alert after a day, then you are good to publish that APK. You can remove the APK with the alert if you like.

  4. Juan Pablo

    So, I’m using Titanium 5.1.2.GA. We need to downgrade to 4_1_X?

    • No, you don’t need to downgrade. Our tests have shown that Titanium 5.0 and later do not trigger the security alert.

  5. Masuda

    I published with 3.1.3GA and got a security alert mail from Google.
    If I update SDK 5.2.2GA and just publish a apk will fix this issue?

    • It would, but that’s quite a big leap. You could also update to 3.5.1 first and use the listed CI build with the fix.

      • narender

        Hi,

        I am using 3.5.1 sdk and if try to update to 5.2.x is application run successfully?
        because i got a issues am not using Action Bar but it showing even i hide it.
        some UI issues i observed. please suggest me app which exactly run with 3.5.x should same in 5.2.x

        • 3.5.1 is two years old and a lot has changed since. In particular with 4.0 where we switched to Android Material Design Theme. I’d suggest reading through the major release notes for breaking changes related to Android (themes).

Comments are closed.

Sign up for updates!

Become a mobile leader. Take the first step to scale mobile innovation throughout your enterprise.
Get in touch
computer and tablet showing Appcelerator software
Start free, grow from there.
2 Flares Twitter 0 Facebook 0 Google+ 0 LinkedIn 2 Email -- 2 Flares ×