Error Apache Trust Manager - implementation of the X509TrustManager
ericgomez opened this issue · comments
Security and trust
Apache Trust Manager
Error Security
Your application uses an insecure implementation of the X509TrustManager interface with an Apache HTTP client, which causes a security vulnerability. See this article in the Google Help Center for more information, including the deadline to fix the vulnerability.
- Lcom/zxy/tiny/core/HttpUrlConnectionFetcher$TinyTrustManager;
- sv: deadline: 02/17/2022
Additional Information
To properly process SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to select CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. In particular, be aware of the following issues:
- Check that the exceptions thrown by checkServerTrusted are not included in the method. If they were included, this would cause checkServerTrusted to exit normally, and the application would trust a malicious certificate.
- Don't use checkValidity to examine the server's certificate. The checkValidity method checks if a certificate has expired, but does not determine if it is trusted.
- You can also use network security settings to customize the behavior of your application's certificates in a less error-prone way.