stackoom
  简体   繁体   中英

android Google Play Warning: SSL Error Handler Vulnerability

 原文  2016-03-01 10:43:06       android/ ssl/ google-play/ android-security

Question

I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler"]

and they recommended me to ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise"]

here's my implementation of the method : 

   public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
                handler.proceed();
            }

any help please ?

3 answers

solution1
 16  2016-07-15 05:44:10

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning. 

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning. Reference

solution2
 9 ACCPTED  2016-03-01 11:29:08

解决方案是删除onReceivedSslError

solution3
 1  2017-06-15 06:32:39

我正在使用backendless库旧版本编译'com.backendless:backendless:3.0.11'所以我更新到最新版本编译'com.backendless:backendless:3.0.24'并解决问题。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Play Warning: SSL Error Handler Vulnerability Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL Google Play and OpenSSL vulnerability warning Google Play app rejected - SSL Error Handler SSL Warning from google play Google Play vulnerability warning for OpenSSL 1.0.2k Google Play Warning: WebViewClient.onReceivedSslError handler Bypass SSL Warning from google play SSL Error Handler WebView Android Android app rejected google play because of Vulnerability issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM