googleapis
Security Vulnerability Issue
<issue
id="TrustAllX509TrustManager"
severity="Warning"
message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers"
category="Security"
priority="6"
summary="Insecure TLS/SSL trust manager"
explanation="This check looks for X509TrustManager implementations whose `checkServerTrusted` or `checkClientTrusted` methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.">
<location
file="Project\com\google\api\client\util\SslUtils$1.class"/>
</issue>
I am using androidpublisher and oauth2. Because of them, I think my app removed from playstore. I gave all the necessary info below the link. What can I do?
https://stackoverflow.com/questions/65491217/how-can-i-find-and-fix-my-android-apps-security-vulnerability?noredirect=1#comment115787447_65491217
How are you instantiating your http transport implementation for the API client?
We suggest that you use either GoogleNetHttpTransport.newTrustedTransport() or GoogleApacheHttpTransport.newTrustedTransport(). These 2 helpers create HttpTransport instances that use include trusted keys for Google APIs.
Example:
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
GoogleCredentials googleCredentials = GoogleCredentials.create(access_token); // replace with your auth method
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(googleCredentials);
Storage storage = new Storage.Builder(httpTransport, jsonFactory, requestInitializer)
.setApplicationName("MyProject-1234")
.build();
How are you instantiating your http transport implementation for the API client?
We suggest that you use either
GoogleNetHttpTransport.newTrustedTransport()orGoogleApacheHttpTransport.newTrustedTransport(). These 2 helpers createHttpTransportinstances that use include trusted keys for Google APIs.Example:
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport(); JsonFactory jsonFactory = JacksonFactory.getDefaultInstance(); GoogleCredentials googleCredentials = GoogleCredentials.create(access_token); // replace with your auth method HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(googleCredentials); Storage storage = new Storage.Builder(httpTransport, jsonFactory, requestInitializer) .setApplicationName("MyProject-1234") .build();
Thank you for your response. I am using it like this;
OkHttpService service = new OkHttpService(); // Firstly, I am getting credentials.json with okhttp3. Because of its here.
SubscriptionPurchase purchase = new AndroidPublisher.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(),
new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
build().purchases().subscriptions().
get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();
Changed it to this as you said;
OkHttpService service = new OkHttpService();
SubscriptionPurchase purchase = new AndroidPublisher.Builder(GoogleNetHttpTransport.newTrustedTransport(), JacksonFactory.getDefaultInstance(),
new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
build().purchases().subscriptions().
get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();
Still the same.
