stackoom
  简体   繁体   中英

App rejected by google play due to http trust manager

 原文  2020-01-14 10:41:07       android/ google-play/ ssl-certificate/ release/ trustmanager

Question

I am able to build release apk and when tested, everything is working fine. When I upload it to the Play Store however, it is rejected due to some malicious behavior.

ServerConnection code:

HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
DefaultHttpClient client = new DefaultHttpClient();

SchemeRegistry registry = new SchemeRegistry();
SSLSocketFactory socketFactory = SSLSocketFactory.getSocketFactory();
socketFactory.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
registry.register(new Scheme("https", socketFactory, 443));
SingleClientConnManager mgr = new SingleClientConnManager(client.getParams(), registry);
DefaultHttpClient httpClient = new DefaultHttpClient(mgr, client.getParams());

// Set verifier
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);

build.gradle:

implementation 'org.jbundle.util.osgi.wrapped:org.jbundle.util.osgi.wrapped.org.apache.http.client:4.1.2'

Google play rejection error message:

The app uses software that contains security vulnerabilities for users or allows the collections of user data without proper disclosure.

2 answers

solution1
 0  2020-01-15 01:29:43

Your code is disabling SSL hostname verification, which, to quote the Help Center article linked in your screenshot,

ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.

This is a security vulnerability - as CommonsWare noted, you should remove all of the code in your question. If you're doing it because you were previously getting SSL verification errors, here are some common issues with SSL verification with information about how to fix them.

solution2
 -1  2020-01-14 10:52:06

Try to search for "TrustManager" in your codes, if none is to be found, most of the cases it is because of third party libraries included.

May be because of using an older version of any library in your gradle

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google play rejected my app due to login. Http problem App rejected by google play store due to google permission Policy Google Play store - App rejected due to Mobiburn SDK App Rejected by google play store due to permissions handler App rejected by Google Play Android app rejected by Google Play Console due to "Provide instructions for app access" My app has just started getting rejected on Google Play due to App Actions Google Play app rejected due to: Prominent disclosure Non compliant design for policy: Accessibility API google play store rejected my app due to sms permissions & sensitive information policy No pre-launch report available, Google Play App Rejected due to Designed for Families Stability Issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM