Appcelerator Currently has no Solution for the X509TrustManager Android Problem

Will we get a fix in a time sufficient to resolve the issue?

Posted by Malcolm Hollingsworth on

For the past 24 hours Appcelerator developers have been receiving emails from Google with the following subject line.

Google Play warning:
You are using an unsafe implementation of X509TrustManager

How will this affect you?

Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

Can you solve this today?

If you were like me you probably determined the apps it affected were using an old SDK for example 3.5.1. Or the problem was due to a submission built against Android build tools that have since been resolved. Neither of these are the reason.

It seems that Appcelerator has a problem in their code that is causing the problem. So you have NO control over being able to rectify the problem in your own apps or those of your clients.

Has Appcelerator said anything?

There is a blog post Google Security Alert: Unsafe implementation of the interface X509TrustManager. However as there is no email or other indication so far - you had to read about it on the Appcelerator blog site.

To me this seems important enough to have been sent out as an email alert update. I assume it may at some point be directly shared with the community.

So when can you fix your apps?

The closest thing to that answer is the following;

We will have a Titanium SDK with a fix and instructions ready for you in time.

If you are not convinced you may have sufficient time - I am with you. Without knowing when the fix will be ready or how close to the cut-off date you have problems. The opportunity to plan around this issue and work it into whatever apps that require resubmission - is simply not known.

Dog food

It is suggested that you update all of your apps for the latest SDK to make the transition to the one containing the fix as smooth as possible.

Here is the part that Appcelerator simply does not understand in these circumstances. Whilst Appcelerator often uses the phrase "we eat our own dog food" I am not sure they fully understand how managing multiple real-world projects at different developmental stages actually affects choices.

If they did then they would understand that many apps big or small may require staying on specific SDK versions for reasons outside of the wish for new features. Sometimes it is module compatibility or too many people working on a project part way through for such a jump to occur.

Many people are still using SDK 3.5.1 and the jumps to 5.x are much greater than a transition. I ALWAYS recommend upgrading to the latest known stable SDK - which is not always the latest one released though, but that does not mean it is always possible at that time.

Patch SDKs should be available

I think it makes good sense to have earlier SDKs available with a patch for the X509TrustManager to allow those not yet able to move up the ability to still resubmit apps to the store.

Share your thoughts with Appcelerator on this.