Andrew Ayer6d ago

DO NOT USE THE APPMATTUS CERTIFICATE TRANSPARENCY ANDROID LIBRARY.

Over two years ago the library's developers were warned about the need to monitor the ct-policy mailing list if they were going to consume the Chrome CT log lists.

Over six months ago, an upcoming change to the log lists was announced on ct-policy.

The Appmatus developers ignored this, so when the change was published today, Android apps using Appmatus stopped working. Affected app developers are now flooding CT mailing lists demanding the log list change be reverted. The right fix is to stop using Appmatus - it's clearly not fit for purpose.

GitHub - appmattus/certificatetransparency: Certificate transparency for Android and JVM

Certificate transparency for Android and JVM. Contribute to appmattus/certificatetransparency development by creating an account on GitHub.

GitHub
Show threadAndrew Ayer6d ago
The Appmattus CT library doesn't even need to exist anymore - as of Android 16, you can opt your app into Certificate Transparency enforcement provided by the OS: https://developer.android.com/privacy-and-security/security-config#certificateTransparencySummary
Network security configuration  |  Security  |  Android Developers

Feature that allows app developers to customize network security settings in a safe configuration file.

Android Developers
Show threadAndrew Ayer
Folks at Google have taken time on a Saturday to roll out a creative hack to unbreak the apps using this library. The folks at Apple, Google, and Mozilla who work on WebPKI and CT policy are truly some of the Internet's unsung heroes, for this and many other reasons.
Jun 21 at 10:20pmWeb
Show threadMichael Lynch5d ago
@agwa your summary in the issue tracker is a great explanation. I also appreciate @Edent's contribution to the thread.
Show threadAndrew Ayer5d ago
@michael @Edent Thanks! And yes, @Edent raises a great point.