Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.2
-
Fix Version/s: EE-3.2.0.GA, 3.3
-
Component/s: Push Library
-
Labels:None
-
Environment:Test
Description
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
Issue Links
- blocks
-
ICE-8771
SECURITY: Potential security improvements related to findings from Veracode security scan
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Assigning to Steve to consider whether to resolve for 1.2EE or a future release. Although the timing is not ideal, the recommendation would be to resolve this for 1.2 EE.
Potential strategy for implementation:
android-sdk-macosx/extras/google/gcm/gcm-server/src/com/google/android/gcm/server/Sender.java
Just use the HttpURLConnection as in the example.
protected HttpURLConnection post(String url, String contentType, String body)
throws IOException {
if (url == null || body == null)
if (!url.startsWith("https://"))
{ logger.warning("URL does not use https: " + url); } logger.fine("Sending POST to " + url);
logger.finest("POST body: " + body);
byte[] bytes = body.getBytes();
HttpURLConnection conn = getConnection(url);
conn.setDoOutput(true);
conn.setUseCaches(false);
conn.setFixedLengthStreamingMode(bytes.length);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", contentType);
conn.setRequestProperty("Authorization", "key=" + key);
OutputStream out = conn.getOutputStream();
out.write(bytes);
out.close();
return conn;
}
All SSL related code has been removed from GCM provider. Now using a normal HTTP connection. The C2DM provider has been deleted, as it is no longer supported by google.
This is a security issue and should be fixed. Both C2dmNotificationProvider.java and GcmNotificationProvider.java make use of noop TrustManager. This would allow an attacker to spoof DNS (for a google.com domain) and to intercept all Cloud Push notifications sent to Android devices from the application server.