Troubleshooting SSL Validation
This page describes how to troubleshoot issues with your Android app not validating SSL certificates. See http://www.kb.cert.org/vuls/id/582497 for more background on this issue.
To troubleshoot the issue with your Android app not validating SSL certificates as described in the above link:
Verify that the SSL traffic is coming from one of the following libraries:
- Flurry CVE-2014-6024
- Chartboost CVE-2014-6025
- AdColony CVE-2014-5524
- MoMinis/Playscape CVE-2014-5525
- TapJoy CVE-2014-5527
- InMobi CVE-2014-5526
- Appsflyer CVE-2014-5528
- Zopim CVE-2014-5530
- Fiksu CVE-2014-5814
After verifying that the SSL traffic is coming from one of the above libraries, refer to the CVE information for the versions of the library that are affected, and then if available, upgrade to a fixed version of the library.
- If all of your unverified SSL traffic is in one of the above libraries, upgrade the library and resubmit your app to Amazon.
If all of your unverified SSL traffic is not contained within one of the above libraries, to secure your own traffic, take precautions to protect the data of your customers.
If you use a purchased SSL certificate to do this, wrap all of your code that is dependent on SSL in a try/catch block to prevent your app from sending or receiving data on the network in the event of an SSLException.
- If you sign SSL traffic yourself, store your CA Authority certificate in your app’s assets directory, and then use the CA Authority certificate to validate your SSL traffic within a try/catch block, and don’t allow traffic if the certificate is not trusted. For information about secure Android application design and coding, including examples on how to validate self-signed SSL traffic, see section 5.4 in http://www.jssec.org/dl/android_securecoding_en.pdf.
- If you have any known CA Authority certificates that you are using for your own traffic, to prevent an attack based on compromised CA Authority hosts, pin your SSL certificates that are based on those CA Authorities.
For more information about this vulnerability, see http://www.kb.cert.org/vuls/id/582497 and https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=134807561.
For documentation about correctly validating SSL traffic, see http://developer.android.com/training/articles/security-ssl.html.
For more information on how to pin SSL certificates in your apps and other platform’s applications, see https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning.