I've an app in Google Play, today I received a mail from Google saying that:
Google Play warning: You are using an unsafe implementation of
X509TrustManager
It says something about the SSL certificate issues and a way to solve the issue.
I'm asking this question because of curiosity,
Actually what is this warning all about ?
I'm not using any network related activities in my app (it's a local database driven app), so why this warning occurred for my app?
More Details:
My app was built using Appcelerator Titanium and google says this implementation is in ti.modules.titanium.network.NonValidatingTrustManager;. I'm sure that I never used such a class in my code.
Actually what is this warning all about ?
You should have been linked to this page, which explains what it is all about. In a nutshell, Google is scanning apps for people who screw up SSL, such as blindly accepting all certificates as valid.
I'm not using any network related activities in my app (it's a local database driven app), so why this warning occurred for my app?
Because something else in your APK has done this. In the case of this developer, it was a library.
My app was built using Appcelerator Titanium and google says this implementation is in ti.modules.titanium.network.NonValidatingTrustManager;. I'm sure that I never used such a class in my code.
You may not have used it directly. However, something else is using it. Or, perhaps it is there because it is just part of the overall Titanium framework and remains in your APK.
Appcelerator is tracking this issue on JIRA here:
https://jira.appcelerator.org/browse/TIMOB-20431
We also put out a blog post with information here:
http://www.appcelerator.com/blog/2016/02/google-security-alert-unsafe-implementation-of-the-interface-x509trustmanager/
The email speaks about a May 17th deadline for newly submitted (!) apps and updates. We will have a fix and instructions ready in time.
Read this:
http://docs.appcelerator.com/platform/latest/#!/guide/SSL_Certificate_Store_Support_for_HTTP_Clients
It all about the Google pushing everybody to use https. If you are using into your app the Titanium.Network.createHTTPClient object, then you will have to implement that with this:
var certificateStore = require('ti.certificatestore').
The module can be find here: https://github.com/appcelerator-modules/ti.certificatestore
The problem is not related to the js code. It is inside Titanium sdk and no matter do you use some fucntions or not.
I think the possible solution is to rewrite class
https://github.com/appcelerator/titanium_mobile/blob/bc85170157d3bebc5de1d61a9fe6e34bce84a8c9/android/modules/network/src/java/ti/modules/titanium/network/NonValidatingTrustManager.java
We should create safe implementation of X509TrustManager
I just got the same message on a my apps. Same module specified as the OP.
ti.modules.titanium.network.NonValidatingTrustManager;
A few points from my research so far:
http://docs.appcelerator.com/platform/latest/#!/guide/SSL_Certificate_Store_Support_for_HTTP_Clients does discuss the problem and provide examples for iOS and Android. However:
the examples are different for each OS and require creating or downloading modules (the Android one is a couple years old now)
the docs specifically say these methods are no longer supported and
You should instead use the HTTPClient's securityManager property to
implement support for SSL Certificate Stores.
the SecurityManagerProtocol docs, unfortunately, have no examples. The few references I could find (http://docs.appcelerator.com/platform/latest/#!/api/Modules.Https) require the use of modules.https which is a PAID module only.
I'm left with the question: If Google rejects all Appcelerator apps with this particular issue, and only developers with paid subscriptions get an officially-supported solution, does this mean Appcelerator 'community edition' is officially incompatible with Google Play? Is Appcelerator planning to support HTTPS officially for it's community members?
Anyone from Appcelerator care to comment, please?
Thank you,
David
Related
Apache Log4J vulnerability https://www.csoonline.com/article/3644472/apache-log4j-vulnerability-actively-exploited-impacting-millions-of-java-based-apps.html is impacting a number of cloud services.
I am using log4j in my Android application.
How does it impact it or is there no impact at all?
I am assuming since the malicious actor could only run local scripts, it should not be an issue but I wanted to confirm.
Seems like Android apps are safe since JNDI isn't available on Android. I believe the following tweet was the first online mention of the vulnerability, and on the bottom of the second screenshot it says "Java's JNDI is not available on Android".
https://web.archive.org/web/20211209230040/https://twitter.com/P0rZ9/status/1468949890571337731
(original tweet got deleted https://twitter.com/P0rZ9/status/1468949890571337731/photo/2)
Background
I was recently tasked to work on an SDK that Android developers could use via simple dependency (got this working for Jitpack&Github, here).
One of the tasks I was given is to use Firebase for remote-config and Analytics (and maybe Crashlytics too), to be able to gather statistics and have some control of it using the cloud.
The problem
All tutorials, articles and documentations (example here) that I see of Firebase are for Android apps, and so the preparation itself requires a package-name of the app to be set.
This is impossible for an Android library that is supposed to be used as an SDK, as it's meant for many apps, each has its own package name.
What I've tried
I tried to ask Firebase support about this, but they told me they can only talk about Android apps, and gave me a Github link (here), probably hoping I could get something out of it.
I also tried to ask on reddit (here), but nobody knew the answer to this.
Looking at the list of available, official SDKs (here), I think such a thing might be possible if I register as if it's a website (or web-application), and then in code I would reach it as a website (using REST API on Retrofit), but not sure if there is a better way, whether it will work, and whether it's even according to the rules of using Firebase (I think should be ok).
There might be a way to use the C++ library that Firebase offers, too, but this would probably require a lot of adjustments.
Seeing that this might not be offered natively, I even made a request about it., here.
The questions
Is it possible to use Firebase inside Android libraries? As an SDK? Is it according to the rules of Firebase?
How do I do it? Is there perhaps a library for this? Maybe a general Java library ? I guess I should also be able to make it focus on my SDK's classes and functions, and ignore what's on the app itself.
If there is no library, where can I find the various functions that are available for the various services, so that I would implement them?
I'm trying to use a FireBase realtime database in my Oculus Quest app, but it seems like google-services isn't initializing properly when I build.
Everything works perfectly in my Unity Editor, and I'm not getting any errors. When I build to quest and use ADB Logcat I get this error:
NullReferenceException: Object reference not set to an instance of an object
at QuestionnaireManager.GiveAnswer (System.Int32 answer) [0x00035] in <7ee908d4e96e4aa6a0d12545247f5f0d>:0
at UnityEngine.Events.InvokableCall1[T1].Invoke (T1 args0) [0x00010] in <7717a69884ed4b33971896d8ee45333e>:0
at UnityEngine.Events.CachedInvokableCall1[T].Invoke (System.Object[] args) [0x00001] in <7717a69884ed4b33971896d8ee45333e>:0
at UnityEngine.Events.UnityEvent.Invoke () [0x00074] in <7717a69884ed4b33971896d8ee45333e>:0
at PhysicsButton.OnCollisionExit (UnityEngine.Collision other) [0x0002c] in <7ee908d4e96e4aa6a0d12545247f5f0d>:0
This blog post leads me to think that the XML files aren't initializing properly, but I'm having trouble following the steps they listed since I'm using Unity and don't know much about android-native, gradle, or gradle commands.
Any help is greatly appreciated!
I don't see any specific Firebase related logs in that code snippet, but Oculus Quest will be an interesting platform either way.
The first thing you should do when you integrate Firebase with a Unity project is call CheckAndFixDependenciesAsync. What this does is check to see if the user has an up to date version of Google Play Services on Android. On iOS and on the Desktop this call does nothing.
Google Play Services is also only available (to my knowledge) as a licensed service, it's not part of the Android Open Source Project. So mainstream Android phones and tablets tend to have access to it, but devices that fork Android (such as the Fire TV) do not. The Oculus Quest, to my knowledge, is running a forked version of Android without Google Play Services. If this assumption is accurate, then CheckAndFixDependenciesAsync will never return DependencyStatus.Available.
Now your specific question is about Realtime Database, which actually does not require Google Play Services (a good rule of thumb is that if it's open source, it doesn't require Play Services. But this isn't necessarily a guarantee). But if you use Firebase Authentication, which you probably do to effectively use Realtime Database rules, then that will require Play Services and definitely not run as-is on Android. Although this may hold at a native library level, remember that CheckAndFixDependenciesAsync will fail if your device doesn't support Play Services. In this situation, I do not know if FirebaseApp.DefaultInstance can ever be non-null, and therefore I don't know if Database.DefaultInstance can ever be non-null (in fact, this bug doesn't seem to bode well).
At this point, what are your options then?
If you're only developing an app for yourself, maybe you can sideload Play Services. I generally would recommend against this, as you're pulling a core piece of functionality from a possibly disreputable source. If you do this, everything will probably work (test on a phone before you do this just in case).
You could purely use the REST APIs. I've seen this plugin come up a bit, but you'll be missing out on some of the work the Firebase Games team does to really take advantage of Android's native capabilities (one side effect of which is the whole play store dependency after all).
You could expose your entire backend via Cloud Functions (or Cloud Run if you wanted to stay in the C# world). If you use normal (vs. Callable) functions, these are simple rest calls.
You could also use Unity's JNI interop to try to use the native Android SDK directly. This can be a little painful (JNI is never fun, even with helpers), but you could even use this project to get around the auth issues!
Oh, and above all else, file a feature request. Even though the bug is locked, it's useful to get more input about what is needed and why. So include which device you want to target, why, what you need Firebase to do, and any other information you feel comfortable sharing about your game.
I have made a game in Unity 3D 2019.2 Android and I have sent it to Google Play, I got this message,
Your app has a Security alert because is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability.
Please, I would be very grateful if you can you be so kind to help me in some way, to know where the X509TrustManager is inside Unity, where is it used in my project in Unity, and how to fix it, or where is it to modify it.
I have already searched a few hours over the internet any relation between Unity with X509TrustManager and Unity and have not been able to find any possible solution.
I use Split by architecture in Unity to build multiple APKs
I do not have any custom Android Manifest, it is built by Unity when the build is made.
I am not using any SSL certificate or using Trustmanager in any way as far as I know. I do not use any kind of plugins and do not have any kind of in-app purchase. I do not collect any user data and do not connect to the internet as far as I know
I do not have installed the Google Play plugin, I only have the Unity PlayServicesResolver
Google told me to look at this reference, but I have no idea about this and I am using Unity and do not know where is this
https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html#checkServerTrusted(java.security.cert.X509Certificate[]
It seems that it has any relation with java, but I have no idea about java, and I do not have any java files in my project, although I know that is used have to build the project in Unity for Android.
I expected to find some documentation about where or how is used the X509Trustmanager inside Unity to configure it but do not know where is it
Please, I would be very grateful if you can be so kind as to help me in some way.
Thanks very much for any possible help
As you mentioned, the might be in Java. It's using deprecated HTTP Apache for network call, and probably, default self signed CA. You could use deprecated source with setting in the Gradle, to use legacy library. But this will not resolve the problem.
Instead, you need to move to the Default HTTP UrlConnection, which is already tight to CA inside the system. This is also described in the Android Documentation. But as far, as you are using Unity, you are not handling it. So I think this question should be raised to the Unity support. At other hand, I deprecated for a long time, and I think Unity support should describe a way to resolve it already.
I want to use pubsub's pull subscription.
So far its been hard to figure out setting auth & fails in subscription or grpc.
Also its not recommended to package client-secret.json in apk.
Havent found any leads to setup on android
Has anyone done this on android
On the Setup client library its mentioned
Note: Cloud Java client libraries do not currently support Android.
Following this link for Pull Subscriber
Any help would be appreciated
Pub/sub to a mobile platform has some potential issues, depending on your use-case. For example, if a phone is off for a long time, pub/sub will queue a lot of messages which may be expensive. You also would need to create a topic for every user if you want to keep data for each user private.
You might find that Firebase Cloud Messaging is a better solution for pushing notifications to an android app.
Although the com.google.cloud.pubsub library doesn't support Android, the com.google.api.services.pubsub library does. com.google.api.services.pubsub is auto-generated, so is harder to use and worse documented, but it should work on Android.
See client libraries explained for the difference between the libraries.