android Google Play Warning: SSL Error Handler Vulnerability

android ssl google-play android-security

I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler"]

and they recommended me to ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise"]

here's my implementation of the method : 

   public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
                handler.proceed();
            }

any help please ?


Solution 1:

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning. Reference

Solution 2:

the solution is to remove onReceivedSslError

Solution 3:

I was using backendless library old version compile 'com.backendless:backendless:3.0.11' so i update to latest version compile 'com.backendless:backendless:3.0.24' and issue solved.

Related

Why do <fieldset>s clear floats?
What exactly are C++ definitions, declarations and assignments?
How does JavaScript mechanism behind react hooks work?
how to disable cookies using webdriver for Chrome and FireFox JAVA
Calculating permutations in F#
SetWindowsHookEx failing in .NET 4.0 on 32-bit machine with "module not found"?
Getting backing bean value with Javascript
How to limit display of iframe from an external site to specific domains only
Java JDBC ignores setFetchSize?
Portable data reinterpretation
Why use "self" to access ActiveRecord/Rails model properties?
Trigger event with infoWindow or InfoBox on click Google Map API V3