Guardian’s StrongTrustManager Vulnerabilities

Last week I saw a tweet about Guardian Project’s “StrongTrustManager,” which was built for increasing the security of SSL connections in Android. It’s part of their OnionKit library, and their app Gibberbot uses it to secure its XMPP connections.

I recently released an Android library that provides simple SSL pinning support, and have previously written about the great opportunity we have for mobile apps to sidestep the many problems plaguing us with CA certificates, so I was excited to see something else out there.

Since I had just released something similar, I went to look at what the Guardian Project implementation provides, and incidentally ended up discovering a few security vulnerabilities. I’ve decided to write them up here, since they’ve turned out to be fairly common problems amongst TLS implementations, and might be of some value to document.