Dependency issue: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers

[dmytroKarataiev]

The problem

Lint complains about the dependency from the plaid library:

../../org/bouncycastle/est/jcajce/JcaJceUtils%241.class: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers ../../org/bouncycastle/est/jcajce/JcaJceUtils%241.class: checkServerTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers ../../org/bouncycastle/est/jcajce/JcaJceUtils%242.class: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers

This check looks for X509TrustManager implementations whose checkServerTrusted or checkClientTrusted methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers. To suppress this error, use the issue id "TrustAllX509TrustManager" as explained in the Suppressing Warnings and Errors section.

Steps to Reproduce

On all the recent Plaid version run a lint check and it would raise this lint issue.

Expected Result

No lint issue raised.

[jen-m1finance]

The problem

After upgrading the Android Link SDK from 3.6.0 to 3.6.1, and with the latest 3.10.1, upon executing the Gradle lintProductionRelease task, we also encountered the following error:

 /home/runner/work/android/android/app/org/bouncycastle/est/jcajce/JcaJceUtils$1.class: Error: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers [TrustAllX509TrustManager]
/home/runner/work/android/android/app/org/bouncycastle/est/jcajce/JcaJceUtils$1.class: Error: checkServerTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers [TrustAllX509TrustManager]
/home/runner/work/android/android/app/org/bouncycastle/est/jcajce/JcaJceUtils$2.class: Error: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers [TrustAllX509TrustManager]

  Explanation for issues of type "TrustAllX509TrustManager":
   This check looks for X509TrustManager implementations whose
   checkServerTrusted or checkClientTrusted methods do nothing (thus trusting
   any certificate chain) which could result in insecure network traffic
   caused by trusting arbitrary TLS/SSL certificates presented by peers.

Environment

• Android Studio version: Android Studio Electric Eel | 2022.1.1

Steps to Reproduce

Run lintRelease or lintProductionRelease Gradle task

Expected Result

Same as comment above, no lint error

[jen-m1finance]

It looks like an issue has been filed in the Bouncy Castle repo as well since the error points to JcaJceUtils

[jen-m1finance]

Still seeing this issue. Is there any update here?

[artyomdeynega]

Any update?