Security alert for insecure TrustManager - android-security

In one of my apps I recently got the following alert from Google Play saying:
Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
Can someone provide more details on what should be updated?

Related

Google Identity Migration with Direct Usage of GAPI.Client

We got a message to migrate to the new Google Identity Service.
We do a direct usage of GAPI.Client for authentication and not the Javascript Platform library.
Does anyone know if the deprecation would affect us?
According to this blog post, it doesn't seem to be affected but we are getting the emails from Google asking us to migrate.

Firebase Analytics not logging events

I have a React web app. I set up analytics as described in the documentation here : https://firebase.google.com/docs/analytics/get-started
With the help of the Analytics extension in Chrome, and in my dev environment, I can see the logs in the Debug view section. That means I setup analytics correctly in the app (I believe).
However, if I deploy my app to my https://myapp.web.app domain, nothing logs. I checked the Hosting section, and my app is correctly deployed and it is selected.
I updated my firebase sdk recently (8.7.0), and I added measurementId in the settings, although the doc says it's optional to use measurementId.
Am I missing something ? Is there any way to see if I'm missing something ?
Enabling Google Analytics involves API requests to Firebase Installations Service, to google-analytics.com and to googletagmanager.com`.
I use Firefox, because Chromium sends my computer CPU and RAM consumption to the moon, even with a single tab open. And in Firefox, unlike Chromium and Brave, among other browsers, I had nothing logged in the console.
Chromium and Brave logged API requests errors.
So, you need to add the Firebase Installations Service API key in the cloud console.
I feel this could be mentioned in the documentation, because it's not very obvious.
Anyway, someone explained it very clearly here : Firebase: 403 PERMISSION_DENIED (FirebaseError: Installations): Requests are blocked, after updating SDKs (FirebaseInstallationsService)
Now Firebase Analytics show logs when using Chromium.
However, these requests are blocked using Firefox and Brave (and therefore no logs are shown in Firebase Analytics). My understanding is it has to do with default settings in the browser.
With Brave, it's GET requests to googletagmanager.com/ that are blocked.
With Firefox, it's POST requests to google-analytics.com/ that are blocked. The above mentioned GET request is NOT blocked by Firefox.
https://rankfuse.com/blog/firefox-browser-blocking-google-analytics/
Does anyone know of a workaround ? I understand some Internet users can be annoyed by tracking systems such as GA, but Internet services need such tracking systems to improve their overall user experience, and if Internet browsers block analytics services, we are kind of stuck there.
EDIT: ok, so a bit of research about the above issue of browsers blocking analytics requests I came across various paid services purposely defined as workarounds and various tricks to bypass analytics blocking.
One straightforward way is to obviously proxy requests from your user's browser to google-analytics.com. There is a good article here that explains how to proceed can be found here: https://iainbean.com/posts/2020/the-shady-world-of-google-analytics-proxying/

Static website I am hosting cannot be reached and the server IP cannot be found

I recently used Google Domains to register a domain and have connected it to Google Cloud Console to manage a static website. I followed the Google Codelabs guide to set it up and faced no issues. However, when refreshing my website, it still doesn't load and my browser (Chrome) gives me the following error message:
This site can’t be reached
carbonfootprint.dev’s server IP address could not be found."
As well, going to www.carbonfootprint.dev gives me another error message:
Your connection is not private
Attackers might be trying to steal your information from www.carbonfootprint.dev (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
...Which is confusing, because I was under the impression that a .dev domain suffix gives SSL certification by default.
However, in my Google Domains settings, the website content appears as it should in the minimized preview that exists in both the Domain Overview panel and Website panel. It has been over 48 hours, so it should have updated by now if it were just a delay issue.
For reference, this is what my Custom resource records look like, this is what my synthetic records look like, and these are my bucket details in Google Cloud Console. As well, here is a preview of the website, as shown in the Google Domains console.
Any help is much appreciated!
Ended up finding the answer thanks to #IshRaj on ServerFault.
For future reference to anyone else viewing, Google Cloud Storage only supports HTTP connections when hosting a static website through CNAME resource records. To serve content through a custom domain over SSL, you will need to either:
Set up an external HTTPS load balancer (instructions here),
potentially with Google Cloud CDN (set-up documentation here)
Connect a third-party Content Delivery Network to your Google Cloud
Storage (guide here)
Host your static website on Google App Engine with Python (guide
here)
Serve static website content through Google Firebase rather than
Google Cloud Platform (tutorial here/additional support)
Personally, I went with Google Firebase (the last option), which automatically upgrades websites to https. It was simple and quick to set up and content is now directly deployable from my files. As well, with Firestore's automatic scalability and powerful queries, Firebase becomes a viable alternative, especially with its other features (user authentication, realtime data synchronization, machine-learning, extensions).

Skype Web Control support

I try to find a internet place where I could find support about the Skype Web Control (dedicated support web site, forum, chat, documentation). A place where I can report problem and find help.
Here are my issues, maybe someone has a solution:
I use the Skype Web Control with a Microsoft Chatbot (Azure, LUIS) and it works pretty well.
But the smileys are not displayed in the conversion when the user send one. Space are taken to display the smiley but no smiley in there. If the user is connected, the conversation in the Skype application displays well the smileys.
And when the bot answer with a smiley, it is displayed as text :) not replaced by an image. Is there a way to do it?
I also have the following error:
Cross-Origin Request Blocked:
The Same Origin Policy disallows reading the remote resource at
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=ACT-Web-JS-2.9.0&x-apikey=xxx.
(Reason: CORS request did not succeed).
Does anyone know how to fix it?
There are multiple questions. To enable emojis you can customize webchat control. We did it and enabled emojies and other features too. Below is the link of source of webchat:
https://github.com/Microsoft/BotFramework-WebChat
For CORS issue (cross domain security issue) have you tried placing the code on ms azure app. We faced the issue, with our own server, but not on azure app. CORS can be configured using web.config too.

LinkedIn New API - Can't Get r_network Permission

I inherited a program that was written with the old LinkedIn API, and I'm trying to migrate it to the new API. When I try to get the r_basicprofile permission, my oauth token works. However, when I try r_network or rw_nus, I get a response
invalid scope -- your application has not been authorized for
r_network.
Yet, when I go to www.linkedin.com/developer/apps/xxxx/auth, the boxes for r_network and rw_nus are checked.
I.e., A request to
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=xxxxxx&scope=r_basicprofile&state=yyyy&redirect_uri=http%3A%2F%2Fkalatublog.com%2Fwp-content%2Fmu-plugins%2Fimb-en%2Fhelpers%2Fsocial-connect%2Fapi%2Ffinalize.php%3Fapi%3Dlinkedin%26ch%zzzzz
works, but a request to
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=xxxxxx&scope=r_network&state=yyyy&redirect_uri=http%3A%2F%2Fkalatublog.com%2Fwp-content%2Fmu-plugins%2Fimb-en%2Fhelpers%2Fsocial-connect%2Fapi%2Ffinalize.php%3Fapi%3Dlinkedin%26ch%zzzzz
gives that error. What am I doing wrong?
As of May 15,
After the grace period expires, several REST API endpoints will no longer be available for general use. The following endpoints are the only ones that will remain available for use:
Profile API — /v1/people/~ `
Share API — /v1/people/~/shares
Companies API — /v1/companies/{id}
If your application is currently using any other API services (e.g. Connections, Groups, People Search, Invitation, Job Search, etc.) you will have to apply to become a member of a relevant Partner Program that provides the necessary API access to continue to leverage any of the endpoints that are not listed above.
It looks like linkedin no longer wants to share anything with their API. Creating a new app indicates that the only possible options are r_basicprofile, r_emailaddress, rw_company_admin, and w_share:
TLDR: they have locked down the API and restricted the usage to an extremely limited set of access points.
I did some more digging. The linkedin website is misleading. On my app linkedin page, it says that I'm approved for rw_nus and r_network, but on this page
https://developer.linkedin.com/support/developer-program-transition
it says those are no longer approved.
So the app home page in linkedin incorrectly said I had those permissions.
Heres the link if you want to Apply for Linkedin
https://help.linkedin.com/app/ask/path/api-dvr

Resources