Google Play Warning: WebViewClient.onReceivedSslEr

2019-03-10 03:09发布


I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript."] ....................

I am using in my code:

    webView.setWebViewClient(new WebViewClient() {

        public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {}

        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {

        public boolean shouldOverrideUrlLoading(WebView view, String url) {
            return super.shouldOverrideUrlLoading(view, url);

        public void onPageFinished(WebView view, String url) {
            super.onPageFinished(view, url);
            // My code

// My code

webview_ClientPost(webView, "", mapParams.entrySet());

Why the Google play sending this warning regarding SSL? Is this my code issue or PayUMoney issue?


I hope is not too late for this.. that warning is about you should notify user is going to a page with invalid cert, you should not proceed it directly.

You can implment an alert dialog something like this:

public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        public void onClick(DialogInterface dialog, int which) {
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        public void onClick(DialogInterface dialog, int which) {
    final AlertDialog dialog = builder.create();;

This was taken from sakiM answers in this link: Webview avoid security alert from google play upon implementation of onReceivedSslError


The problem is in your code. When you call handler.proceed(); like that, it effectively removes all the security from your connection.

You should remove your onReceivedSslError method. The default implementation will reject insecure connections.