Unsafe TrustManager implementation on Android app

  1. SDK Version: 34.0.0
  2. Platforms(Android/iOS/web/all): Android

I’ve got a mail is about the TrustManager security issue:

Unsafe TrustManager implementation on Android app

TrustManagers are responsible for managing the trust material that is used when making trust decisions and for deciding whether credentials presented by a peer should be accepted
The TrustManager interface might have been configured to trust all the server certificates, regardless of who signed it

An implementation ignoring all the SSL certificate validation errors when establishing an HTTPS connection to a remote host makes your app vulnerable to Man in the middle  attacks
The following methods allowed self-signed, expired or mismatching CN certificates for SSL connections:
expo.modules.appauth.UnsafeConnectionBuilder.() 2.io.b.a.a.a.e.f.a()

For more :  https://support.google.com/faqs/answer/6346016?hl=en

It seems the root cause is at expo’s appauth module.
Could anybody give me some approach to solve this?
Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Hi @patw, sorry for the really late follow up here. I was wondering if this email was from Android, and if it prevented your app from being published at all?