New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Android & iOS: Remove possibility to disable SSL validation mandatory #5354
Comments
One thought I had was to leave Piwik Mobile 2 in the app store as Google doesn't force app developers to update such apps (yet) and release a Piwik Mobile 3 which won't work for users with self signed certificates etc. This way there would be an alternative for these users. However, it is a pain to get users to install a new app as they won't be aware that there is a new version. Instead we will recommend to download the APK from piwik.org http://piwik.org/faq/mobile-app/#faq_16330 . That version won't work forever but it'll be a workaround. |
In my opinion releasing an app called "Piwik Mobile 3" would be very confusing because the stable web release is v2.X. Please also note that the current release of Piwik Mobile 2 Beta for Android (v2.3.0) still does not support SSL/TLS when using Server Name Indication (SNI): #5327 |
Or maybe we update the existing Piwik Mobile 2 and add the SSL features, and could create a new app (Piwik Mobile 2 (Non-SSL) - so that most users benefit from the updated version and security fixes. If their Mobile App authentication becomes broken after they update, then we could point them out to use the alternative app (if we would decide to create it). |
That was my first thought, but as far as I understand that must happen before May 17:
|
Exactly, we would need to create Non-SSL version before May 17th. Doing this would take one or a couple of days work I presume as currently I do not have all the stack installed anymore required to build the app and I'm not even sure if I can get it all working easily. |
We might release a new version for Android to address #5359 and #5357 If we release a new version, we will target only Android 7+ so for most devices it will be still possible to ignore SSL errors. For users on Android 7+ that update to this version, there will be no longer a chance to ignore SSL errors. I will try to show a useful error message instead. We should try to mention very clearly and early in the App description and "What's new" description that SSL can no longer be ignored which is good but it will cause a problem for some users. We will try to show a link to Piwik.org where they can download an older version. |
FYI: For the ones that have tracking enabled, about 15% had SSL validation errors when they tried to log in and of those 15% about 90% chose to ignore this error. |
A demo can be downloaded on https://piwik.org/wp-content/uploads/2016/10/PiwikMobile2.3.0-b2.apk . Currently works on Android 6+ |
this is done |
Background is a mail from Google:
http://www.appcelerator.com/blog/2016/02/google-security-alert-unsafe-implementation-of-the-interface-x509trustmanager/
Also see advise from Appcelerator on what is to do: http://www.appcelerator.com/blog/2016/03/update-on-recent-google-security-alerts/
By default, SSL certificate validation is enabled in Piwik Mobile. However, as many users use self signed certificate etc there is a possibility to disable SSL validation.
This means we can no longer release any update of Piwik Mobile if we offer this possibility to our users. Also in Titanium there is no longer any option to ignore SSL errors so we simply have no choice as to remove this "Feature". This will break Piwik Mobile for many users and there is no solution apart from users changing the SSL certificate or not using Piwik Mobile app.
The text was updated successfully, but these errors were encountered: