Adding the text of the error, to help search engines crawl this error, and others to find this.

Your app accepts user certificates when verifying secure connections.

Your app's Network Security Configuration allows the use of user-specified certificates. This could allow eavesdroppers to intercept data sent by your app, or to modify data in transit.

Consider nesting the trust-anchors element that allows user certificates inside a debug-overrides element to make sure they are only available when android:debuggable is set to true.

Hi Jonathan,

you could try adding this plugin SSL Pinning Plugin. This will force the app to only trust/allow the certificates specified by you. This will not remove the configuration bellow (I think that's what Google is stating) but will mitigate it. I just don't know if Google will consider this in the analysis.

If you wish to remove this configuration from the network_security_config.xml file you could try an Android Hook. To do so you need to develop a plugin that removes this property with a hook and then reference this plugin in your app.

You can find some inspirational code in this plugin InAppBrowser Plugin. The source code can be found here: enableCleartextTrafficPermitted().

Please note the SSL Pinning Plugin approach also addresses Man-in-the-Middle attacks so I would start by this option. If you are not familiar creating plugins it will also be easier for you.

Hope this helps

Regards.

AB

Hi Antonio,

We were already using the SSL Pinning plugin before we submitted to play store. I'll have a look at cordova hooks and see if it helps to remove this "error"

Jonathan

Hi Jonathan,

Can you explain if and how you solved this problem?
I'm facing the same issue at the moment.

Thank you!

Hi Martin, 

In my case I added a Cordova hook into the SSLPinningPlugin

1. Clone the SSL Pinning repository
2. Add this file : disableUserCertificates.js (attached)
3. Add this line to plugin.xml, within the <platform name="android"> element
   <hook type="before_plugin_install" src="hooks/disableUserCertificates.js" />
4. push the code to a git repo, or zip it, and change the extensibility configuration to use the modified code.

In my case, it made sense for me to just add into SSL Pinning, as it relates to SSL certificate security and I didn't want to have to create an separate plugin. However you may opt to create a separate plugin with just this hook.

I wonder if anyone has already created a separate plugin for disabling the user Certificates that I could use, because I don't intend to use the SSL pinning plugin in my app.

I think it's kind of weird for Outsystems to have generated apps setup this way and not have an easy way for us developers to change it. Would it be weird to ask for a key value pair in the extensibility configuration for configuring this?

Also, is it mandatory for us to fix this before publishing the app? I can't find this anywhere in the google documentation.

This took a while, as my "workaround" worked fine for some time. Now that SSL Pinning plugin has become a "supported" component, I'm not able to easily make modifications to it.

So, I've separated the script hook, and published it on the forge as a plugin --> https://www.outsystems.com/forge/Component_Overview.aspx?ProjectId=10441

Hope this helps anyone who encounters this error.