Unsafe implementation of the interface X509TrustManager - Google Play

Question

When I try to upload an application to google play, I get a message. "Unsafe implementation of the interface x509trustmanager". In a message from Google Play it says:

To avoid problems when validating the SSL certificate, change the code of the checkServerTrusted method in the X509TrustManager interface so that a CertificateException or IllegalArgumentException is thrown when it detects suspicious certificates.

All the options I've found use the checkValidity method to validate the certificate but Google also adds:

Do not use checkValidity to validate the server's certificate. This method checks the validity of the certificate, not its security.

How can I change the code of the checkServerTrusted method correctly? My current implementation of x509TrustManager:

X509TrustManager trustManager = new X509TrustManager() {
        @Override
        public X509Certificate[] getAcceptedIssuers() {
            X509Certificate[] cArrr = new X509Certificate[0];
            return cArrr;
        }

        @Override
        public void checkServerTrusted(final X509Certificate[] chain,
                                       final String authType) throws CertificateException {
            try {
                chain[0].checkValidity();
            } catch (Exception e) {
                throw new CertificateException("Certificate not valid or trusted.");
            }
        }

        @Override
        public void checkClientTrusted(final X509Certificate[] chain,
                                       final String authType) throws CertificateException {
        }
    };

Answer 1

I changed the X509TrustManager implementation this way and the app passed Google Play verification:

TrustManager[] victimizedManager = new TrustManager[]{

                new X509TrustManager() {

                    public X509Certificate[] getAcceptedIssuers() {

                        X509Certificate[] myTrustedAnchors = new X509Certificate[0];

                        return myTrustedAnchors;
                    }

                    @Override
                    public void checkClientTrusted(X509Certificate[] certs, String authType) {
                    }

                    @Override
                    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        if(chain == null || chain.length == 0)throw new IllegalArgumentException("Certificate is null or empty");
                        if(authType == null || authType.length() == 0) throw new IllegalArgumentException("Authtype is null or empty");
                        if(!authType.equalsIgnoreCase("ECDHE_RSA") &&
                                !authType.equalsIgnoreCase("ECDHE_ECDSA") &&
                                !authType.equalsIgnoreCase("RSA") &&
                                !authType.equalsIgnoreCase("ECDSA")) throw new CertificateException("Certificate is not trust");
                        try {
                            chain[0].checkValidity();
                        } catch (Exception e) {
                            throw new CertificateException("Certificate is not valid or trusted");
                        }
                    }
                }
        };

Answer 2

I've had this error before. In my case, this is what fixed it:

private boolean isVerified;

@SuppressLint("TrulyRandom")
public static void handleSSLHandshake() {
    try {
        TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }

            @Override
            public void checkClientTrusted(X509Certificate[] certs, String authType) {
            }

            @Override
            public void checkServerTrusted(X509Certificate[] certs, String authType) {
            }
        }};

        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(final String host, final SSLSession session) {
                System.out.print("host" + host+ "\n");
                isVerified = host.equalsIgnoreCase(Constants.hostNameVerifierString)
                        || host.contains("google") || host.contains("gstatic");

                System.out.print(isVerified);
                return isVerified;
            }
        });
    } catch (Exception ignored) {
    }
}

In the activity where you have a network call you can call the handleSSLHandshake() method. Or if you use Dagger or any dependency injection library , you should be able to inject it wherever you want to create network calls.

The Constants.hostNameVerifierString is the URL I was using for network calls , the "google" and "gstatic" were added because I was also using google maps.