I’ve been using the smack-android library in production successfully for almost a year now. Thank you.
Recently I scanned my apk with the free linkedin library, qark.
GitHub - linkedin/qark: Tool to look for several security related Android application vulnerabilities
Here’s the result:
WARNING - Instance of checkServerTrusted, with no body found in: /…/classes_dex2jar/org/jivesoftware/smack/util/TLSUtils.java. This means this application is likely vulnerable to Man-In-The-Middle attacks. This can be confirmed using the free version of Burpsuite. Simply set the Android device’s proxy to use Burpsuite via the network settings, but DO NOT install the Portswigger CA certificate on the device. If you still see traffic in the proxy, the app is vulnerable. Note: You need to ensure you exercise this code path. If you are unsure, make sure you click through each part of the application which makes network requests. You may need to toggle the proxy on/off to get past sections that do validate certificates properly in order to reach the vulnerable code. This proves that it will accept certificates from any CA. You should always validate your configuration by visiting an HTTPS site in the native browser and verifying you receive a certificate warning. For details, please see: https://developer.android.com/training/articles/security-ssl.html
Here’s my connection implementation:
builder = XMPPTCPConnectionConfiguration.builder();
builder.setServiceName(serviceName);
builder.setHost(serverAddress);
builder.setPort(serverPort);
builder.setResource(“android”);
builder.setHostnameVerifier(new StrictHostnameVerifier());
connection = new XMPPTCPConnection(builder.build());
connection.connect();
connection.login(loginUser, passwordUser);
It seems I need to override the TLSUtils.AcceptAllTrustManager but I’m really not sure what I need to do.
Any help is much appreciated.