Last week I saw a tweet about Guardian Project’s “StrongTrustManager,” which was built for increasing the security of
SSL connections in Android. It’s part of their OnionKit library, and their app Gibberbot uses it to secure its XMPP
connections.
I recently released an Android library that provides simple
SSL pinning support, and have previously written
about the great opportunity we have for mobile apps to sidestep the many problems
plaguing us with CA certificates, so I was excited to see something else out there.
Since I had just released something similar, I went to look at what the Guardian Project implementation provides, and
incidentally ended up discovering a few security vulnerabilities. I’ve decided to write them up here, since they’ve turned
out to be fairly common problems amongst TLS implementations, and might be of some value to document.