Update on recent Google Security Alerts

In February, a number of Titanium developers received Google Security Alerts for their apps. To learn more about this alert, see our initial blog post.

TL;DR Owing to a somewhat simplistic security scan, Google has flagged an implementation of the X509TrustManager interface in a Titanium SDK class as unsafe. This class is by default not used in production apps, though it remains present in the SDK. A developer has to publish a development build or manually disable SSL certification validation in order to use this class in production. If the class is not used, there is no actual security issue. Regardless, Google will not accept new apps or updates to existing apps that trigger this security alert, beginning May 17, 2016.

Affected Titanium SDK versions

We have uploaded APKs to Google Play to test all latest major and minor releases since 3.5.1.GA.These were all production builds that did not manually disable SSL certification validation. We manually targeted Android API level 22 for 5.0.2.GA and older. Titanium 5.1.2.GA and later default to API level 23.

These tests showed that Google only raises the Security Alert for 4.1.1.GA, 4.0.0.GA and 3.5.1.GA. Titanium 5.0.2.GA, 5.1.2.GA and 5.2.0.GA do not. If you have seen otherwise, please leave a comment on the JIRA ticket. Make sure you did build for production and manually targeted API level 22 for 5.0.2.GA.

What we’ve done

We have merged a fix to the 4_1_X, 4_0_X and 3_5_X branches that removes the affected class. The property to manually disable SSL certification will no longer have any effect.

You can get CI builds for these branches from our build server or patch your custom build:

BranchCI Build
4_1_X[appc] ti sdk install -b 4_1_X 4.1.1.v20160311104258
4_0_X[appc] ti sdk install -b 4_0_X 4.0.1.v20160311104206
3_5_X[appc] ti sdk install -b 3_5_X 3.5.2.v20160311103211

What you will need to do

If you have been publishing development builds or manually disabled SSL certification validation, you will need to make sure the SSL certification of your servers are in order so you no longer need it to be disabled. For example, use SSL Labs and make sure you check the Handshake Simulation results for the Android versions you need to support.

For affected apps and new apps, build using Titanium 5.x or a patched SDK and upload the APK. Wait for 24 hours to be sure Google’s security scan has run and verify no Security Alert has been raised.

17 COMMENTS

      • Hi Fokke

        i am trying to compiling my app using appcelerator – Titanium 5.2.0 build

        and it throws following error while installing app on device (android 4.0.4):

        java.lang.NoSuchMethodError: android.app.Activity.startActivity; Titanium 5.2.0

        i just created simple window in my application.

        code snippets:

        Titanium.UI.setBackgroundColor(‘#000′);

        var window = Titanium.UI.createWindow({
        backgroundColor:’red’
        });
        window.open();

        however if i implement tabgroup and open it then it works fine.

        could you please help me to resolve this issue.

        • Hi Jigs,

          I had this issue last week on android devices. To resolve it I had to add the following arguments to open window command.

          mainWindow.open({
          activityEnterAnimation: Ti.Android.R.anim.fade_in,
          activityExitAnimation: Ti.Android.R.anim.fade_out
          });

          I hope this solves your problem.

  1. Hi,
    Thanks for all your help.

    Finally my running fine after the compilation with the Titanium SDK

    3_5_X [appc] ti sdk install -b 3_5_X 3.5.2.v20160311103211

    that are listed above.

    so by just compling with above sdk is this solve my Google Play Store security issue ? or i need to do something at code level ? my app contains https connection and while using Ti.Network.createHTTPClient() i am not using the properties “validatesSecureCertificate : Boolean ”

    please suggest me if i need to do anything with this properties
    also i am compling the app using run as device.

      • can you give me a hint on this “validatesSecureCertificate : Boolean ”
        is should be true or false ?

        • With the patched SDKs, it will be true regardless of the environment or if you’ve tried to manually set it to false. In Titanium SDK 5.0 and later it looks like setting it to false does not trigger the security alert, but really you shouldn’t. Whatever API you use should always have valid certificates.

  2. Hi
    after the uploading .apk to google play store account now it showing Affects APK version XX that is older one. so now i am not getting any affects alert for the new version that i uploaded but still getting the yellow security alert message so is that issue got resloved or not ?

  3. I published with 3.1.3GA and got a security alert mail from Google.
    If I update SDK 5.2.2GA and just publish a apk will fix this issue?

      • Hi,

        I am using 3.5.1 sdk and if try to update to 5.2.x is application run successfully?
        because i got a issues am not using Action Bar but it showing even i hide it.
        some UI issues i observed. please suggest me app which exactly run with 3.5.x should same in 5.2.x

Comments are closed.