Android apps impacted due to CT v2 log list turn down.

147 views
Skip to first unread message

G v Ravi kumar

unread,
May 4, 2023, 8:06:19 AM5/4/23
to certificate-transparency
Hi Google,
We have received a mail stating the below list of applications could get impact
  • com.highq.highqnow
  • com.thomsonreuters.cs.onvio.drive
  • com.thomsonreuters.cs.onvio.clientcenter
  • com.highq.highqdrive
  • com.thomsonreuters.cs.onvio.employeecenter
  • com.thomsonreuters.clms
because of,
Firstly, 
https://www.gstatic.com/ct/log_list/v2/log_list.json will start returning 404 on 2023-06-07 around 10AM UTC+1.
Secondly, the existing log lists represent Chrome’s up to date interpretation of the CT ecosystem and are intended for use by CAs and CT monitors, not for CT enforcement by clients. The priority for these lists is to protect Chrome’s users.
I have few questions on this email.
      Could you explain what this issue is and how this issue taking effect with my Android apps? 

 

      If the effect is taking place, please suggest us some information/instructions on how to be dealt with this issue in android applications?

 

      I read some conversations on halting this end point. On Feb15 2023, this API is halted, I observe there are no outages in the above list of applications. Can we assume that our applications are safe with the termination of this API? please confirm.

regards,
ravikumargv
Senior Mobile Android App developer

Roger Ng

unread,
May 5, 2023, 5:53:34 PM5/5/23
to certificate-transparency
Hi ravikumargv,

Thanks for your questions. As there is some sensitive information, I will send you a private message to follow up.

Cheers,
Roger

Deyan Bektchiev

unread,
May 6, 2023, 12:25:26 PM5/6/23
to certificate-transparency
Ravikumargv.

Maybe I'm missing some context for these apps, however if one is developing a custom app that is not a browser and only connects to a set of well known URLs you can use much stronger guarantees regarding certificate authenticity than CT - you can have a private non-public CA that issues your certificates and/or use certificate pinning.

When the certificates are rotated you can issue an updated app that has both new and old certificate and handle the rotation that way (probably more than one way to handle this as well).

Regards,
Deyan


Reply all
Reply to author
Forward
0 new messages