(#) Insecure TLS/SSL trust manager
!!! WARNING: Insecure TLS/SSL trust manager
This is a warning.
Id
: `TrustAllX509TrustManager`
Summary
: Insecure TLS/SSL trust manager
Severity
: Warning
Category
: Security
Platform
: Android
Vendor
: Android Open Source Project
Feedback
: https://issuetracker.google.com/issues/new?component=192708
Affects
: Kotlin and Java files and library bytecode
Editing
: This check runs on the fly in the IDE editor
See
: https://goo.gle/TrustAllX509TrustManager
Implementation
: [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/X509TrustManagerDetector.java)
Tests
: [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/X509TrustManagerDetectorTest.kt)
Copyright Year
: 2015
This check looks for X509TrustManager implementations whose
`checkServerTrusted` or `checkClientTrusted` methods do nothing (thus
trusting any certificate chain) which could result in insecure network
traffic caused by trusting arbitrary TLS/SSL certificates presented by
peers.
(##) Example
Here is an example of lint warnings produced by this check:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text
src/test/pkg/InsecureTLSIntentService.java:22:Warning:
checkClientTrusted is empty, which could cause insecure network traffic
due to trusting arbitrary TLS/SSL certificates presented by peers
[TrustAllX509TrustManager]
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
------------------
src/test/pkg/InsecureTLSIntentService.java:26:Warning:
checkServerTrusted is empty, which could cause insecure network traffic
due to trusting arbitrary TLS/SSL certificates presented by peers
[TrustAllX509TrustManager]
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) throws CertificateException {
------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the source file referenced above:
`src/test/pkg/InsecureTLSIntentService.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package test.pkg;
import android.app.IntentService;
import android.content.Intent;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public class InsecureTLSIntentService extends IntentService {
TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) throws CertificateException {
}
}};
public InsecureTLSIntentService() {
super("InsecureTLSIntentService");
}
@Override
protected void onHandleIntent(Intent intent) {
try {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {
System.out.println(e.getStackTrace());
}
}
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can also visit the
[source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/X509TrustManagerDetectorTest.kt)
for the unit tests for this check to see additional scenarios.
The above example was automatically extracted from the first unit test
found for this lint check, `X509TrustManagerDetector.testTrustsAll`.
To report a problem with this extracted sample, visit
https://issuetracker.google.com/issues/new?component=192708.
(##) Suppressing
You can suppress false positives using one of the following mechanisms:
* Using a suppression annotation like this on the enclosing
element:
```kt
// Kotlin
@Suppress("TrustAllX509TrustManager")
fun method() {
problematicStatement()
}
```
or
```java
// Java
@SuppressWarnings("TrustAllX509TrustManager")
void method() {
problematicStatement();
}
```
* Using a suppression comment like this on the line above:
```kt
//noinspection TrustAllX509TrustManager
problematicStatement()
```
* Using a special `lint.xml` file in the source tree which turns off
the check in that folder and any sub folder. A simple file might look
like this:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<lint>
<issue id="TrustAllX509TrustManager" severity="ignore" />
</lint>
```
Instead of `ignore` you can also change the severity here, for
example from `error` to `warning`. You can find additional
documentation on how to filter issues by path, regular expression and
so on
[here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html).
* In Gradle projects, using the DSL syntax to configure lint. For
example, you can use something like
```gradle
lintOptions {
disable 'TrustAllX509TrustManager'
}
```
In Android projects this should be nested inside an `android { }`
block.
* For manual invocations of `lint`, using the `--ignore` flag:
```
$ lint --ignore TrustAllX509TrustManager ...`
```
* Last, but not least, using baselines, as discussed
[here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).