Google Play flagging a Security Error

After submitting our mobile app to Google Play, for closed testing, we received an error in our Pre-Launch report.

  • Your app accepts user certificates when verifying secure connections.

Any idea what this means? or how to fix this?




Solution

This took a while, as my "workaround" worked fine for some time. Now that SSL Pinning plugin has become a "supported" component, I'm not able to easily make modifications to it.

So, I've separated the script hook, and published it on the forge as a plugin --> https://www.outsystems.com/forge/Component_Overview.aspx?ProjectId=10441


Hope this helps anyone who encounters this error.


Solution

Hi Jonathan,

you could try adding this plugin SSL Pinning Plugin. This will force the app to only trust/allow the certificates specified by you. This will not remove the configuration bellow (I think that's what Google is stating) but will mitigate it. I just don't know if Google will consider this in the analysis.


If you wish to remove this configuration from the network_security_config.xml file you could try an Android Hook. To do so you need to develop a plugin that removes this property with a hook and then reference this plugin in your app.

You can find some inspirational code in this plugin InAppBrowser Plugin. The source code can be found here: enableCleartextTrafficPermitted().

Please note the SSL Pinning Plugin approach also addresses Man-in-the-Middle attacks so I would start by this option. If you are not familiar creating plugins it will also be easier for you.


Hope this helps

Regards.

AB


Adding the text of the error, to help search engines crawl this error, and others to find this.

Your app accepts user certificates when verifying secure connections.

Your app's Network Security Configuration allows the use of user-specified certificates. This could allow eavesdroppers to intercept data sent by your app, or to modify data in transit.

Consider nesting the trust-anchors element that allows user certificates inside a debug-overrides element to make sure they are only available when android:debuggable is set to true.

Solution

Hi Jonathan,

you could try adding this plugin SSL Pinning Plugin. This will force the app to only trust/allow the certificates specified by you. This will not remove the configuration bellow (I think that's what Google is stating) but will mitigate it. I just don't know if Google will consider this in the analysis.


If you wish to remove this configuration from the network_security_config.xml file you could try an Android Hook. To do so you need to develop a plugin that removes this property with a hook and then reference this plugin in your app.

You can find some inspirational code in this plugin InAppBrowser Plugin. The source code can be found here: enableCleartextTrafficPermitted().

Please note the SSL Pinning Plugin approach also addresses Man-in-the-Middle attacks so I would start by this option. If you are not familiar creating plugins it will also be easier for you.


Hope this helps

Regards.

AB


Hi Antonio,

We were already using the SSL Pinning plugin before we submitted to play store. I'll have a look at cordova hooks and see if it helps to remove this "error"


Jonathan

Hi Jonathan,

Can you explain if and how you solved this problem?
I'm facing the same issue at the moment.

Thank you!

Hi Martin, 

In my case I added a Cordova hook into the SSLPinningPlugin

  1. Clone the SSL Pinning repository
  2. Add this file : disableUserCertificates.js (attached)
  3. Add this line to plugin.xml, within the <platform name="android"> element
    <hook type="before_plugin_install" src="hooks/disableUserCertificates.js" />
  4. push the code to a git repo, or zip it, and change the extensibility configuration to use the modified code.


In my case, it made sense for me to just add into SSL Pinning, as it relates to SSL certificate security and I didn't want to have to create an separate plugin. However you may opt to create a separate plugin with just this hook.

disableUserCertificates.zip

I wonder if anyone has already created a separate plugin for disabling the user Certificates that I could use, because I don't intend to use the SSL pinning plugin in my app.

I think it's kind of weird for Outsystems to have generated apps setup this way and not have an easy way for us developers to change it. Would it be weird to ask for a key value pair in the extensibility configuration for configuring this?

Also, is it mandatory for us to fix this before publishing the app? I can't find this anywhere in the google documentation.

Solution

This took a while, as my "workaround" worked fine for some time. Now that SSL Pinning plugin has become a "supported" component, I'm not able to easily make modifications to it.

So, I've separated the script hook, and published it on the forge as a plugin --> https://www.outsystems.com/forge/Component_Overview.aspx?ProjectId=10441


Hope this helps anyone who encounters this error.


Hi Jonathan,

I'm stuggling with the same problem. However, when I add a reference to your plugin, my builds are failing. If I remove the reference, everything builds normally. Any idea what I am doing wrong?

Hi Lies, 

I'm not totally sure what's happening, it worked on mine. What version of MABS are you using? Could you post your log?

Hi Jonathan,

I'm using MABS 7.0. The error log doesn't give much more information than a simple 'An unexpected error has occurred while installing the Cordova plugins. Please try again. If the problem persists, contact OutSystems Support.'

The app I used it for was on MABS 6.3, I haven't used it on MABS 7.0 yet. It may need some time for me to fix this.


I've updated the plugin. When I switched to MABS 7.0 it complained about a missing package.json file, which I've now added.

FYI, you can get the build log from service center, if you go to your application, under the Distribute tab, there is an icon to download the build-log.


Thank you Jonathan! I'm going to try it out tomorrow and will let you know. Also thanks for pointing out where I find the build log - I was not aware of that yet.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.