堆栈内存溢出
  简体   繁体   English

Google Play开发者控制台拒绝了我的应用更新

[英]Google Play Developer Console rejected My Application Update

 原文  2016-07-10 18:17:54       android/ android-security/ google-console-developer/ sslerrorhandler

问题描述

I am trying to understand and fix why is my App rejected I know it's about SSL, but I can't seem to find which dependency is causing it. 我试图理解并解决为什么我的应用程序被拒绝我知道它是关于SSL的,但我似乎无法找到导致它的依赖项。 I am using the next setup: 我正在使用下一个设置:

  1. Android N (24) Android N(24)
  2. Fabric. 布。
  3. MixPanel. MixPanel。
  4. Quickblox. Quickblox。
  5. Crashlytics Crashlytics
  6. Analytics. Analytics(分析)。

Any help would be appreciated. 任何帮助,将不胜感激。

Update : This is from the alerts Section 更新:这是来自警报部分

Security alert 安全警报

Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. 您的应用程序具有WebViewClient.onReceivedSslError处理程序的不安全实现。 Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. 具体来说,该实现忽略了所有SSL证书验证错误,使您的应用程序容易受到中间人攻击。 An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript. 攻击者可以使用JavaScript更改受影响的WebView内容,读取传输的数据(例如登录凭据),以及在应用程序内部执行代码。 To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. 要正确处理SSL证书验证,只要服务器提供的证书符合您的期望,就更改代码以调用SslErrorHandler.proceed(),否则调用SslErrorHandler.cancel()。 An email alert containing the affected app(s) and class(es) has been sent to your developer account address. 包含受影响的应用和类别的电子邮件警报已发送到您的开发者帐户地址。 Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. 请尽快解决此漏洞并增加已升级APK的版本号。 For more information about the SSL error handler, please see our documentation in the Developer Help Center. 有关SSL错误处理程序的更多信息,请参阅开发人员帮助中心中的文档。 For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.” If you are using a 3rd party library that's responsible for this, please notify the 3rd party and work with them to address the issue. 对于其他技术问题,您可以发布到https://www.stackoverflow.com/questions并使用标签“android-security”和“SslErrorHandler。”如果您使用的是负责此操作的第三方库,请通知第三方并与他们合作解决问题。 To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. 要确认您已正确升级,请将更新后的版本上传到开发者控制台,并在五小时后再回来查看。 If the app hasn't been correctly upgraded, we will display a warning. 如果应用尚未正确升级,我们将显示警告。 Please note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. 请注意,虽然这些特定问题可能不会影响使用WebView SSL的每个应用程序,但最好保持所有安全补丁的最新状态。 Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement. 如果应用程序存在漏洞,导致用户面临泄密风险,则可能会被视为违反了我们的恶意行为政策和开发者分发协议第4.4节。 Please ensure all apps published are compliant with the Developer Distribution Agreement and Developer Program Policies. 请确保发布的所有应用均符合开发者分发协议和开发者计划政策。 If you have questions or concerns, please contact our support team through the Google Play Developer Help Center. 如果您有任何疑问或疑虑,请通过Google Play开发者帮助中心与我们的支持小组联系。 Affects APK version 2. 影响APK版本2。

2 个解决方案

解决方案1
 1  2016-07-15 06:29:23

You need to update Your webViewClient handler as described below. 您需要更新您的webViewClient处理程序,如下所述。 If in your application you have not used webview with onReceivedSslError() then check for you used SDKs latest version to get updated version according to Google's new Security policy. 如果您的应用程序中没有将webview与onReceivedSslError()一起使用,那么请根据Google的新安全策略检查您是否使用了SDKs最新版本来获取更新版本。

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. 要正确处理SSL证书验证,只要服务器提供的证书符合您的期望,就更改代码以调用SslErrorHandler.proceed(),否则调用SslErrorHandler.cancel()。

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning. 例如,我添加了一个警告对话框,以便用户确认并且Google似乎不再显示警告。 

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning. 更改后,它不会显示警告。

解决方案2
 1 已采纳  2016-07-20 18:46:14

更新版本修复后问题是BackEndless。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 应用更新在 Google Developer Console 中被拒绝 - App update rejected in Google Developer Console Google Play 管理中心拒绝了我的应用更新,说应用不符合 Google Play 政策 - Google Play Console rejected my app update saying app is not compliant with Google Play Policies 如何从Google Play开发者控制台中删除被拒绝的应用程序? - How to remove rejected apps from Google Play Developer Console? 有没有办法从 Google Play Developer Console 中删除被拒绝的应用程序? - Is there any way to delete rejected app from Google Play Developer Console? 我的 android 应用程序在 Google Play 商店中被拒绝 - My android application rejected in google play store 该应用程序与Google Play控制台中的任何设备都不兼容,但在开发者控制台中兼容 - The application is not compatible with any device in the Google Play Console, but is compatible on the developer console Google Play开发者控制台显示,自上次更新以来,我的APK中的本地化已更改 - Google Play Developer Console shows localizations have changed in my APK since last update 为什么我的应用程序更新遭到Google Play拒绝? - Why did my app update get rejected from Google Play? 从Google Play商店中删除更新(开发者控制台) - Remove update from Google Play Store (Developer Console) Google Play 开发者控制台:应用卡在“正在处理更新” - Google Play Developer Console: App stuck in “Processing Update”
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM