I would like to get the list of all revoked certificates list downloaded on an Android device? I know that this class allows you to check if a certificate is revoked or not, but I want to get the whole list of revoked certificates. Is it possible? Does Android store such a list or it uses OCSP to check the certificates?
It would appear that Android does not store a certificate revocation list (or at least if it does then it doesn't use it). There's a reddit thread from a few years ago that brings this up and discusses the pros/cons of it, but the essence of it is that if you go to https://revoked.grc.com/ (which should throw an error if your browser checks for revoked certificates) on mobile Chrome, you'll be notified that your browser doesn't check for revoked certificates.
From the page above (revoked.grc.com, which you shouldn't be able to see unless you're using a browser without a CRL):
The mobile Android platform currently offers no certificate revocation checking of its own, so Android apps (including all users of Google's Chrome browser) are vulnerable to malicious certificate abuse. The only way to use Android securely today is with Firefox, which brings along its own certificate security.
A couple more sources I found (again a few years old, but they still seem to be relevant and accurately describe the current situation):
An issue on the OkHttp (an Android http client) github discussing whether to add certificate revocation checks, where they decide not to
The CommonsBlog, discussing the lack of certificate revocation checks on Android
A Chromium issue about the lack of a CRL, where one of the developers states that it won't be added and presents the justification:
Marking this WontFix for two reasons:
1) Revocation checking is the responsibility of Android and the related SSL APIs. Android itself does not and has never performed revocation checking [...]
2) Revocation checking generally doesn't work (as a security feature), and especially for mobile, greatly affects performance (negatively) and privacy (negatively)
Related
I'm building a site that is using Webauthn for passwordless log in. Currently, this is working great on Chrome for Windows and macOS.
I'm using a YubiKey 5 to test my implementation which supports using a PIN to provide User Verification instead of just plain User Presence (i.e. user touched key's button).
However, when I try to use this same site on Chrome 76 on Android 9, I am not prompted for a pin and so the User Verification flag is not set and my log in (by design) fails.
Google has made a big deal about Android 7+ being FIDO2 compliant but I can't seem to find any mention of this critical missing feature other than an outdated article that mentions that:
We are also working on more advanced flows enabled by CTAP 2 and WebAuthn, such as PIN protected authenticators, local selection of accounts (instead of typing a username or password), and fingerprint enrollment.
Fingerprint enrollment is now supported; are PIN protected authenticators still unsupported even when the Windows and macOS versions of Chrome 76 do?
This is the relevant part of my call to navigator.credentials.create() that should be requiring user verification:
"authenticatorSelection": {"requireResidentKey": false, "userVerification": "required"}
It turns out that this is currently not implemented in Android's Google Play Services. I've filed a bug with the Chromium project which is tracking its eventual implementation.
I developed an app using the platform codename one, after submit the app in Play Store I received the following warning email:
*"We detected that your app(s) listed at the end of this email are using an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. You can also see the list of affected apps, as well as details such as version numbers and class names, on the Alerts page in your Developer Console.
Your current implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.
What’s happening
Beginning November 25, 2016, Google Play will block publishing of any new apps or updates that contain this vulnerability. Your published APK version will remain unaffected, however any updates to the app will be rejected unless you address this vulnerability.
Action required
To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
After making changes, sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly."*
I was researching but unfortunately I didn't find anything about that. I think that maybe is an internal issue of the platform but not sure. What do you think?
Thanks in advance.
Not properly validating the certificate of a SSL connection is a serious issue because this way you effectively weaken the protection offered by SSL a lot and allow easy man in the middle attacks. This way an attacker might sniff the transferred data and even modify the data.
Thus the issue should be fixed.
But with the currently shown information it is impossible to say if the error is in your (unknown) code or some (unknown) third party library or in the wrong usage of a third partly library. But a common cause for such errors is that one is trying to use a self-signed certificate and switches off validation for this purpose. Another common cause is the intention to switch off validation for development only but then inadvertently fail to enable it again for production.
You can look thru the sources of the Codename One port and see that there is no usage of that method:
https://github.com/codenameone/CodenameOne/blob/master/Ports/Android/src/com/codename1/impl/android/AndroidImplementation.java#L3768
So there is no such violation within Codename One as far as I can tell. There are thus two options I can think of:
Google is wrong - wouldn't be the first time with those guys... +
I submitted a Codename One Android app just the other day and didn't get such an error
You added a 3rd party cn1lib/extension/native code to your project which you can verify by looking under android/native or within the lib directory to see if you have anything in the former or a .cn1lib file in the latter.
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.
I have a code cert that is going to expire soon and have recently acquired a new cert from the same provider. I need to transition my android app from the older cert to the new cert. However because the certs are different android requires a full uninstall (deleting app data which I would prefer to avoid).
Due to my client specification I'm unable to use a self signed cert.
Is there a way to transfer without losing the local app data?
I am aware at adt -migrate exists but when I use it I get the following error
Migration certificate can only be applied to desktop native installers with native extensions. Target: apk
Extending certificate validity should be your first choice.
Let your CA extend your certificate instead of purchasing a new one.
All certificate information will be preserved and your clients won't need to uninstall the app at all.
Is there a way to transfer without losing the local app data?
No, other than by backing up the data, uninstalling the old app, installing the new app, and restoring the data. If your app does not already have a full backup mechanism, then you are in a world of hurt, if you cannot get the CA to extend the certificate (per flx's answer).
Due to my client specification I'm unable to use a self signed cert.
That does not change the fact that you need a signing key that will live long enough for the lifetime of the app. And, since certificate authorities do go out of business, so your client should buy a suitably-long certificate now, rather than assuming that an extension can be obtained at any point in the future.
Or, your client should come to its senses and use a self-signed certificate.
I am planning to drop my app in Google Play(earlier Android Market) because of push notifications (whenever a new version) , security for apk and so on.And also since apk is secured with Google play(paid apks) i dropped of downloading the apk from my website (only authenticated people can download the apk)
Actually its a business app for particular users with username and login access. Everything was fine in the App with login and security mechanisms
I am thinking of a way to restrict the other users who are not from the list while installing itself.
My question is whether any kind of filter or authentication mechanism can we set while downloading the application from the Google play it should ask for a password or something like this to filter the unauthorized users to download the app..
My ultimate aim is i don't want the peoples to try it after downloading unnecessarily
Can anybody help who have tried all those in android market
Ok.. One thing after another..
Google propose their licensing mechanism. However app would need internet connection, which is disadvantage if otherwise it doesn't need it. If I got it right your does need to connect to server so this is not a problem for u.. It seems to me you are already familiar with this method.
Mechanism for password protecting downloading or visibility of apps on Google Play doesn't exist today..
You can identify users with IMEI (in case you don't consider using app on tablets, which doesn't have it), WLAN MAC, BT MAC address or some exotic combination of these methods, and you use this as authentication.
The best solution, from my point of view, is to allow people on market to download it. Your application is already using some mechanism of authentication (user/password) to server. So if 1st thing user need to do is login, and any functionality is disabled if that doesn't pass. If it pass, you already know who is your user and what privileges he has.
The thing is here that I am not so sure what are your concerns when user without login/pass download application if everything after that screen is disabled before authentication. User will download (if they find it..), they will install, try to use it, see that's not possible without credentials and uninstall it.
Hope it helped.. I will try to add few more links in a while..