After submitting our mobile app to Google Play, for closed testing, we received an error in our Pre-Launch report.

  • Your app accepts user certificates when verifying secure connections.

Any idea what this means? or how to fix this?




Adding the text of the error, to help search engines crawl this error, and others to find this.

Your app accepts user certificates when verifying secure connections.

Your app's Network Security Configuration allows the use of user-specified certificates. This could allow eavesdroppers to intercept data sent by your app, or to modify data in transit.

Consider nesting the trust-anchors element that allows user certificates inside a debug-overrides element to make sure they are only available when android:debuggable is set to true.

Solution

Hi Jonathan,

you could try adding this plugin SSL Pinning Plugin. This will force the app to only trust/allow the certificates specified by you. This will not remove the configuration bellow (I think that's what Google is stating) but will mitigate it. I just don't know if Google will consider this in the analysis.


If you wish to remove this configuration from the network_security_config.xml file you could try an Android Hook. To do so you need to develop a plugin that removes this property with a hook and then reference this plugin in your app.

You can find some inspirational code in this plugin InAppBrowser Plugin. The source code can be found here: enableCleartextTrafficPermitted().

Please note the SSL Pinning Plugin approach also addresses Man-in-the-Middle attacks so I would start by this option. If you are not familiar creating plugins it will also be easier for you.


Hope this helps

Regards.

AB


Solution

Hi Antonio,

We were already using the SSL Pinning plugin before we submitted to play store. I'll have a look at cordova hooks and see if it helps to remove this "error"


Jonathan