Android SSL bugs and POODLE bites: Google Play Store App Development Complexities

Last week on Thursday, I got a flurry of emails about our Android Economy app showing an error message. The message stated that it could not “interpret data” received from a web server. Our iPhone and Android apps get data from a number of different web servers, but this was the first time (since the 2012 app launch) that our Android Economy app had a serious outage problem.

Including time spent on emails, investigations, coding, coordinating testing on different devices, release process etc. it took me more than 15 hours to resolve the matter and over the weekend, we released Google Play updates for the paid and the free versions of the Economy app. While investigating the matter, I had run into two peculiarities in Android. The second problem (related to SSL v3) is a clear bug/flaw in Android, while the first problem (relating to 301 redirects) is a debatable matter, since there are legitimate reasons for Android to behave the way it does.

Android, HTTPS and 301 Redirects: Our app uses Android’s HTTP framework and it is configured to automatically follow 301 redirects. However, Android’s automatic redirect code failed because the web-server asked us to redirect from an HTTP URL to an HTTPS URL. This inability to redirect isn’t unique to Android’s Java implementation. Oracle’s Java bug database, JDK-4959149 notes that JDK currently treats HTTP and HTTPS as separate protocols, but that in the future, JDK should allow “seemless redirection” [sic] between HTTP and HTTPS. That bug was logged in 2003, but  Android’s Java implementation doesn’t yet support automatic seamless redirection between http and https urls. There are legitimate reasons why clients (e.g. Android apps) may not want automatic redirection from some specific http urls to https urls. However, if a client asks for automatic redirection, I think it might make sense for the platform to honor the existing configuration setting (or introduce a new setting/property for this particular scenario)

A simple fix: A quick investigation of the 301 problem suggested that the fix was simple. I could write code to duplicate Android’s 301 handler logic, but modify it so that requests to an http url could get redirected to an https url. The more simple (and efficient) fix was to directly make a request to the https url and avoid redirects. I implemented this https-request fix

Poodle and SLL V3: Unfortunately, an Android bug blocked the https-request fix from working. That bug was exposed through a different problem – the POODLE attack. In 2014, researchers (ironically from from Google) discovered an SSL V3 vulnerability and they reported that a man-in-the-middle exploit, the POODLE attack  could exploit this vulnerability. In response, administrators removed SSL V3 support from many web servers.

Android and SSL V3: A nasty bug in the Android HTTPS client implementation makes it impossible for apps to use the standard framework for HTTPS requests to web servers that don’t support SSL V3. Android throws a javax.net.ssl.SSLHandshakeException exception because it (always and) only attempts to use SSL V3. This is a known bug in many (but not all) versions of Android. The fix (or to be more precise, hack) was to explicitly add code to disable SSL V3 in the HTTPS client. Unfortunately, this hack isn’t as small as it sounds. The hack needed more than a hundred lines of code. Most Android versions (Gingerbread, 2.3.3, Jelly Bean 4.3 etc.) have this bug, but newer versions (like Lollipop 5.1) do not have the forced-SSLv3-usage bug. So I implemented two code paths, one for Lollipop and newer Android versions and one for all older versions of Android.

Thoughts on the Android platform: I wrote about Android platform quality problems a couple of years. Since then, I had taken a 2-year break from Android programming, so it was good to work with my old code again, though I wish it had happened under better circumstances. Since being launched in 2012, Google Play store revenue from the paid version of the Android Economy app has been less than $1,000. This contrasts with the iPhone and iPad versions of our Economy app which ranked #1 on Apple’s top charts for several weeks. However, average user-ratings seem to be similar across Apple’s app store and Google’s play store. Before the outage, the Android Economy app had 13 five-star reviews, 2 four-star reviews and nothing below four-stars. The app is generally ranked as one of the top 50-100 Finance apps (in recent sales volume) in Google’s play store. This one-time outage notwithstanding, the Economy app and Economy USA (free) are both great apps for Android phones/tablets and I hope users continue to get value from them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: