I uploaded my app to the play store and I received an email from Google developer that I have to modify my sentences in the https code. I am doing a data submission over https using the TrustManager function. I have a valid ssl certificate in my url and everything works perfectly. But I have a deadline to modify and add a CertificateException to the code.
Google send me:
TrustManager
You can find more information about TrustManager in this Google Help Center article.
HostnameVerifier
Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how resolve the issue in this Google Help Center article.
And this is my code:
public class HttpsTrustManager implements X509TrustManager{
private static TrustManager[] trustManagers;
private static final X509Certificate[] _AcceptedIssuers = new X509Certificate[]{};
private X509Certificate[] x509Certificates;
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] x509Certificates, String s)
throws CertificateException {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] x509Certificates, String s)
throws CertificateException {
}
public boolean isClientTrusted(X509Certificate[] chain) {
return true;
}
public boolean isServerTrusted(X509Certificate[] chain) {
return true;
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return _AcceptedIssuers;
}
public static void allowAllSSL() {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
SSLContext context = null;
if (trustManagers == null) {
trustManagers = new TrustManager[]{new HttpsTrustManager()};
}
try {
context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, new SecureRandom());
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
HttpsURLConnection.setDefaultSSLSocketFactory(context
.getSocketFactory());
}
}
I hope you can help me. Thank you.
well in your code, you just trust everything.which is not safe. as google said, you should judge the certificate and raise an Exception. like this,
@Override public void checkServerTrusted( java.security.cert.X509Certificate[] x509Certificates, String s) throws CertificateException {
and the code