Google Play Warning: WebViewClient.onReceivedSslEr

2019-03-10 02:33发布

站内问答 / 前沿技术
523 2 6

I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript."] ....................

I am using in my code:

    webView.setWebViewClient(new WebViewClient() {

        @Override
        public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {}

        @Override
        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
            handler.proceed();
        }

        @Override
        public boolean shouldOverrideUrlLoading(WebView view, String url) {
            return super.shouldOverrideUrlLoading(view, url);
        }

        @Override
        public void onPageFinished(WebView view, String url) {
            super.onPageFinished(view, url);
            // My code
        }
    });

// My code

webview_ClientPost(webView, "https://secure.payu.in/_payment", mapParams.entrySet());

Why the Google play sending this warning regarding SSL? Is this my code issue or PayUMoney issue?

2条回答
The star\"
2楼-- · 2019-03-10 03:18

I hope is not too late for this.. that warning is about you should notify user is going to a page with invalid cert, you should not proceed it directly.

You can implment an alert dialog something like this:

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

This was taken from sakiM answers in this link: Webview avoid security alert from google play upon implementation of onReceivedSslError

查看更多
0人赞 添加讨论(0) 举报
等我变得足够好
3楼-- · 2019-03-10 03:18

The problem is in your code. When you call handler.proceed(); like that, it effectively removes all the security from your connection.

You should remove your onReceivedSslError method. The default implementation will reject insecure connections.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)