Use of deprecated OkHttp API for sslSocketFactory can fail to extract TrustManager object

[stevelilly-tw]

Mode: sandbox or live
PayPal Android SDK 2.14.4
Android 6.0.1, OnePlus One
Also reproducible on Android 4.4 Emulator x86_64

Issue Description

Our app supports Google and PayPal as login methods. We are able to launch the PayPalProfileSharingActivity successfully. However, if beforehand an attempt has been made to use the Google method, the SSL context of the app is changed, after which launching PayPalProfileSharingActivity leads to a crash:

java.lang.RuntimeException: Unable to bind to service com.paypal.android.sdk.payments.PayPalService@b1a9a9c0 with Intent { cmp=com.myapp/com.paypal.android.sdk.payments.PayPalService (has extras) }: java.lang.IllegalStateException: Unable to extract the trust manager on okhttp3.internal.platform.AndroidPlatform@b1a9eec0, sslSocketFactory is class com.paypal.android.sdk.cg
    at android.app.ActivityThread.handleBindService(ActivityThread.java:2611)
    at android.app.ActivityThread.access$1900(ActivityThread.java:135)
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1283)
    at android.os.Handler.dispatchMessage(Handler.java:102)
    at android.os.Looper.loop(Looper.java:136)
    at android.app.ActivityThread.main(ActivityThread.java:5017)
    at java.lang.reflect.Method.invokeNative(Native Method)
    at java.lang.reflect.Method.invoke(Method.java:515)
    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:779)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:595)
    at dalvik.system.NativeStart.main(Native Method)
 Caused by: java.lang.IllegalStateException: Unable to extract the trust manager on okhttp3.internal.platform.AndroidPlatform@b1a9eec0, sslSocketFactory is class com.paypal.android.sdk.cg
    at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.java:599)
    at com.paypal.android.sdk.cc.a(Unknown Source)
    at com.paypal.android.sdk.cm.<init>(Unknown Source)
    at com.paypal.android.sdk.payments.PayPalService.a(Unknown Source)
    at com.paypal.android.sdk.payments.PayPalService.onBind(Unknown Source)
    at android.app.ActivityThread.handleBindService(ActivityThread.java:2598)
    at android.app.ActivityThread.access$1900(ActivityThread.java:135) 
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1283) 
    at android.os.Handler.dispatchMessage(Handler.java:102) 
    at android.os.Looper.loop(Looper.java:136) 
    at android.app.ActivityThread.main(ActivityThread.java:5017) 
    at java.lang.reflect.Method.invokeNative(Native Method) 
    at java.lang.reflect.Method.invoke(Method.java:515) 
    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:779) 
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:595) 
    at dalvik.system.NativeStart.main(Native Method) 

I've raised this issue also with OkHttp here square/okhttp#2827
The failure seems to be that a different classloader is used between the SSLSocketFactory and the delegate object. Attempting a Google login first somehow swaps the com.android.org.conscrypt.SSLParametersImpl for a com.google.android.gms.org.conscrypt.SSLParametersImpl under the hood.

While the OkHttp logic could be relaxed to handle this case we do note that
Builder.sslSocketFactory(SSLSocketFactory) is deprecated in favor of sslSocketFactory(SSLSocketFactory, X509TrustManager) - which would eliminate the need for using reflection on hidden APIs to extract the trust manager. Could the PayPal SDK be modified to use this API?

Thanks!

[braebot]

Thanks for the issue. Yes, we should do this. I have made the change internally, and will do some testing before releasing a fix.

[braebot]

This issue should be fixed in 2.14.6.