You are using an unsafe implementation of X509TrustManager

Question

I\'ve an app in Google Play, today I received a mail from Google saying that:

Google Play warning: You are using an unsafe implementation of X509TrustMa

Answer 1

I just got the same message on a my apps. Same module specified as the OP.

ti.modules.titanium.network.NonValidatingTrustManager;

A few points from my research so far:

• http://docs.appcelerator.com/platform/latest/#!/guide/SSL_Certificate_Store_Support_for_HTTP_Clients does discuss the problem and provide examples for iOS and Android. However:
  • the examples are different for each OS and require creating or downloading modules (the Android one is a couple years old now)
  • the docs specifically say these methods are no longer supported and

You should instead use the HTTPClient's securityManager property to implement support for SSL Certificate Stores.

• the SecurityManagerProtocol docs, unfortunately, have no examples. The few references I could find (http://docs.appcelerator.com/platform/latest/#!/api/Modules.Https) require the use of modules.https which is a PAID module only.

• I'm left with the question: If Google rejects all Appcelerator apps with this particular issue, and only developers with paid subscriptions get an officially-supported solution, does this mean Appcelerator 'community edition' is officially incompatible with Google Play? Is Appcelerator planning to support HTTPS officially for it's community members?

Anyone from Appcelerator care to comment, please? Thank you, David