Google 如何修复 TrustManager 实施方式不安全的应用
引用谷歌市场的帮助说明:https://support.google.com/faqs/answer/6346016
本文面向的是发布的应用中 X509TrustManager 接口实施方式不安全的开发者。具体而言,该问题是指在与远程主机建立 HTTPS 连接时实施方式会忽略所有 SSL 证书验证错误,从而使您的应用容易受到中间人攻击。攻击者可能会读取传输的数据(例如登录凭据),甚至更改通过 HTTPS 连接传输的数据。要查看受影响应用的完整列表,请访问开发者控制台。
为了正确处理 SSL 证书验证,请更改您的自定义 X509TrustManager 接口的 checkServerTrusted 方法中的代码,指定在服务器提供的证书不符合您的预期时生成 CertificateException 或 IllegalArgumentException 错误。如有技术问题,您可以在 Stack Overflow 上发帖咨询(使用“android-security”和“TrustManager”标签)。
请尽快解决此问题并增加升级版 APK 的版本号。从 2016 年 5 月 17 日起,Google Play 将禁止发布 X509TrustManager 接口实施方式不安全的任何新应用或应用更新。
要确认您所做的更改是否正确,请将更新后的应用版本提交至开发者控制台,并在 5 小时后回来查看。如果应用并未正确升级,系统将会显示警告。
尽管这些具体问题可能不会影响每个实施 TrustManager 接口的应用,但您最好不要忽略任何 SSL 证书验证错误。如果应用包含会让用户面临入侵风险的安全漏洞,那么我们可能会将其视为危险产品,因其违反了内容政策和开发者分发协议第 4.4 条的相关规定。
***********************************************************************************
全文搜索X509TrustManager,结果发现在 proguard 文件夹下的 dump.txt 文件中出现了
1、
_____________________________________________________________________
+ Program class: com/baidu/b/a/f
Superclass: java/lang/Object
Major version: 0x32
Minor version: 0x0
Access flags: 0x20
= class com.baidu.b.a.f extends java.lang.Object
Interfaces (count = 1):
+ Class [javax/net/ssl/X509TrustManager]
Constant Pool (count = 34):
+ Class [com/baidu/b/a/d]
+ Class [com/baidu/b/a/d$b]
+ Class [com/baidu/b/a/f]
+ Class [java/lang/Object]
+ Class [java/security/cert/CertificateException]
+ Class [javax/net/ssl/X509TrustManager]
解决方法:更新百度地图的 Sdk
参考:http://developer.baidu.com/announcement/394
2、
_____________________________________________________________________
+ Program class: com/loopj/android/http/MySSLSocketFactory$1
Superclass: java/lang/Object
Major version: 0x32
Minor version: 0x0
Access flags: 0x20
= class com.loopj.android.http.MySSLSocketFactory$1 extends java.lang.Object
Interfaces (count = 1):
+ Class [javax/net/ssl/X509TrustManager]
Constant Pool (count = 41):
+ Class [com/loopj/android/http/MySSLSocketFactory]
+ Class [com/loopj/android/http/MySSLSocketFactory$1]
+ Class [java/lang/Object]
+ Class [java/security/cert/CertificateException]
+ Class [javax/net/ssl/X509TrustManager]
解决方法:
AsyncHttpClient
3 新浪微博
1 public static class MySSLSocketFactory extends SSLSocketFactory { 2 SSLContext sslContext = SSLContext.getInstance("TLS"); 3 4 public MySSLSocketFactory(KeyStore truststore) 5 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { 6 super(truststore); 7 8 TrustManager tm = new X509TrustManager() { 9 public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { 10 } 11 12 public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { 13 try { 14 chain[0].checkValidity(); 15 } catch (Exception e) { 16 throw new CertificateException("Certificate not valid or trusted."); 17 } 18 } 19 20 public X509Certificate[] getAcceptedIssuers() { 21 return null; 22 } 23 }; 24 25 sslContext.init(null, new TrustManager[] { tm }, null); 26 } 27 28 @Override 29 public Socket createSocket(Socket socket, String host, int port, boolean autoClose) 30 throws IOException, UnknownHostException { 31 return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose); 32 } 33 34 @Override 35 public Socket createSocket() throws IOException { 36 return sslContext.getSocketFactory().createSocket(); 37 } 38 }
解决方法:
checkServerTrusted 添加检查证书有效性(加粗部分)