Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability Issue #6792

Open
MaxAndolini opened this issue Dec 29, 2020 · 3 comments
Open

Security Vulnerability Issue #6792

MaxAndolini opened this issue Dec 29, 2020 · 3 comments
Labels
needs more info This issue needs more information from the customer to proceed. priority: p4 type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@MaxAndolini
Copy link 

    <issue
        id="TrustAllX509TrustManager"
        severity="Warning"
        message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers"
        category="Security"
        priority="6"
        summary="Insecure TLS/SSL trust manager"
        explanation="This check looks for X509TrustManager implementations whose `checkServerTrusted` or `checkClientTrusted` methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.">
        <location
            file="Project\com\google\api\client\util\SslUtils$1.class"/>
    </issue>

I am using androidpublisher and oauth2. Because of them, I think my app removed from playstore. I gave all the necessary info below the link. What can I do?

https://stackoverflow.com/questions/65491217/how-can-i-find-and-fix-my-android-apps-security-vulnerability?noredirect=1#comment115787447_65491217
@chingor13 chingor13 added type: question Request for information or clarification. Not an issue. needs more info This issue needs more information from the customer to proceed. labels Dec 29, 2020
@chingor13
Copy link
Contributor

How are you instantiating your http transport implementation for the API client?

We suggest that you use either GoogleNetHttpTransport.newTrustedTransport() or GoogleApacheHttpTransport.newTrustedTransport(). These 2 helpers create HttpTransport instances that use include trusted keys for Google APIs.

Example:

HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
GoogleCredentials googleCredentials = GoogleCredentials.create(access_token); // replace with your auth method
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(googleCredentials);

Storage storage = new Storage.Builder(httpTransport, jsonFactory, requestInitializer)
        .setApplicationName("MyProject-1234")
        .build();

@MaxAndolini
Copy link
Author

MaxAndolini commented Dec 29, 2020
edited
Loading

How are you instantiating your http transport implementation for the API client?

We suggest that you use either GoogleNetHttpTransport.newTrustedTransport() or GoogleApacheHttpTransport.newTrustedTransport(). These 2 helpers create HttpTransport instances that use include trusted keys for Google APIs.

Example:

HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
GoogleCredentials googleCredentials = GoogleCredentials.create(access_token); // replace with your auth method
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(googleCredentials);

Storage storage = new Storage.Builder(httpTransport, jsonFactory, requestInitializer)
        .setApplicationName("MyProject-1234")
        .build();

Thank you for your response. I am using it like this;

    OkHttpService service = new OkHttpService(); // Firstly, I am getting credentials.json with okhttp3. Because of its here.
    SubscriptionPurchase purchase = new AndroidPublisher.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), 
            new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
            createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
            build().purchases().subscriptions().
            get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();

Changed it to this as you said;

            OkHttpService service = new OkHttpService();
            SubscriptionPurchase purchase = new AndroidPublisher.Builder(GoogleNetHttpTransport.newTrustedTransport(), JacksonFactory.getDefaultInstance(),
                    new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
                            createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
                    build().purchases().subscriptions().
                    get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();

Still the same.

@burkedavison burkedavison added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed type: question Request for information or clarification. Not an issue. labels Oct 1, 2024
@burkedavison
Copy link
Member

Changing to feature request for improved documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs more info This issue needs more information from the customer to proceed. priority: p4 type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@chingor13 @MaxAndolini @meltsufin @burkedavison and others