问题
Got warning from google play.
How can i handle "SSL Error Handler Vulnerability" of unsafe implementation of the WebViewClient.onReceivedSslError handler.
"Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise."
回答1:
I have received the same warning today, and it informs me that the issue comes from the SDK of one of my ad networks (InMobi, I'm really considering dropping them as they have a lot of fraudulent, auto-redirect banners, and now this...):
com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient
What is the affected class in your case? If it is one of your own classes, you'll have to read the technical documentation and fix your implementation.
If, like me, you are just the victim of one of your external libraries, contact the developers to ask them to provide a fixed library (or drop the library).
回答2:
You should first check that you use the WebViewClient.onReceivedSslError handler properly.
If you're not using the WebViewClient library or if you're already using it properly, the problem is probably coming from a third party library. You could first use this linux command in the root directory of your project to identify which libraries could be responsible for the problem:
find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;
This will list the files inside all your jar files having the "OnReceivedSslError" string.
After that, you may check if the Google recommandations to handle the vulnerability are respected in each matched file.
回答3:
If you don't need to handle things in onReceivedSslErr(WebView,SslErrorHandler,SslError), just remove this method to avoid google play warning.Otherwise,you also should not proceed it directly.
Here is an example by @sakiM,Webview avoid security alert from google play upon implementation of onReceivedSslError
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
If the method onReceivedSslErr has been invoked by 3rd library, just contact the provider.
回答4:
Hi here is the latest solution to solve your problem. Hope it will help someone:
//COPY PASTE THIS CODE AND REMOVE THE onReceivedError() method.
/**
* Notify the host application that an SSL error occurred while loading a
* resource. The host application must call either handler.cancel() or
* handler.proceed(). Note that the decision may be retained for use in
* response to future SSL errors. The default behavior is to cancel the
* load.
*
* @param view The WebView that is initiating the callback.
* @param handler An SslErrorHandler object that will handle the user's
* response.
* @param error The SSL error object.
*/
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
//final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
String msg="";
if(error.getPrimaryError()==SslError.SSL_DATE_INVALID
|| error.getPrimaryError()== SslError.SSL_EXPIRED
|| error.getPrimaryError()== SslError.SSL_IDMISMATCH
|| error.getPrimaryError()== SslError.SSL_INVALID
|| error.getPrimaryError()== SslError.SSL_NOTYETVALID
|| error.getPrimaryError()==SslError.SSL_UNTRUSTED) {
if(error.getPrimaryError()==SslError.SSL_DATE_INVALID){
msg="The date of the certificate is invalid";
}else if(error.getPrimaryError()==SslError.SSL_INVALID){
msg="A generic error occurred";
}
else if(error.getPrimaryError()== SslError.SSL_EXPIRED){
msg="The certificate has expired";
}else if(error.getPrimaryError()== SslError.SSL_IDMISMATCH){
msg="Hostname mismatch";
}
else if(error.getPrimaryError()== SslError.SSL_NOTYETVALID){
msg="The certificate is not yet valid";
}
else if(error.getPrimaryError()==SslError.SSL_UNTRUSTED){
msg="The certificate authority is not trusted";
}
}
final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
builder.setMessage(msg);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
回答5:
This may caused because of the third party libraries used in your application, which include open ssl. It happened in my case. The library is mentioned in the alert by Google play. I used the following grep command with that library included
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
This command will show a lengthy log, if there is open ssl issue, because of that library.
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
CAMELLIA part of OpenSSL 1.0.1h 5 Jun 2014
EDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
RC4 part of OpenSSL 1.0.1h 5 Jun 2014
:Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
%s(%d): OpenSSL internal error, assertion failed: %s
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
OpenSSL default
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
Try the same command, for another apk, without that library. It will show just two lines like the follow
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
来源:https://stackoverflow.com/questions/32775592/ssl-warning-from-google-play