TrustAllX509TrustManager lint error

[francescocervone]

Describe the bug TrustAllX509TrustManager is raised by Lint 30.4.0 (AGP 7.4.0). Basically, if lint finds any unsafe implementation of X509TrustManager raises this issue. This is pretty serious because Android apps having at least one implementation like that can be removed from the Play Store: https://support.google.com/faqs/answer/6346016?hl=en.

The Lint issue is introduced with AGP 7.4.0 but the problem is not related to the Android Gradle Plugin version. Any app is affected by this.

To reproduce Just launch lint task with AGP 7.4.0 and android lint 30.4.0.

Expected behavior No unsafe implementation of X509TrustManager is present.

Actual behavior An unsafe implementation of X509TrustManager is present.

Additional context There is already an open issue on Bouncy Castle's repository https://github.com/bcgit/bc-java/issues/1306, but not yet sure about their plans.

The result is that all apps depending on PdfBox-Android transitively depend on Bouncy Castle libraries and are unsafe.

[francescocervone]

The reported class is org.bouncycastle.est.jcajce.JcaJceUtils in bcpkix-jdk15on-1.67 and bcpkix-jdk15to18-1.72 jars.

[TomRoush]

Have you had an app flagged on the Play Store because of this? The BouncyCastle libraries can probably be excluded if encryption/decryption isn't needed, but that doesn't solve the issue if they are needed

[francescocervone]

Have you had an app flagged on the Play Store because of this?

No, but I wouldn't take the risk. Luckily, those classes seem to be unused so DexGuard removed them for us. I guess ProGuard and R8 would do the same.

[donguk0kim]

Hi I am also dealing with this problem, is there any solution?