android Google Play Warning: SSL Error Handler Vulnerability

Asked 1/3, 2016 at 10:43 Answered 15/6, 2017 at 6:32

Solved android ssl google-play android-security

I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler"]

and they recommended me to ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise"]

here's my implementation of the method :

   public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
                handler.proceed();
            }

any help please ?

Balmuth answered 1/3, 2016 at 10:43 Comment(1)

There are lots of similar questions, please have a look first. – Haffner 1/3, 2016 at 11:11

the solution is to remove onReceivedSslError.

Balmuth answered 1/3, 2016 at 11:29 Comment(3)

I followed by this commit: github.com/gorbin/ASNE/commit/…. – Ullyot 3/3, 2016 at 7:55

But then your webview will show nothing if the website ssl certificate has problem. No content or warning shown to user – Caudal 25/11, 2019 at 2:39

I got this same warning from google that they will delete my app in 2 months, and I don't use onReceivedSslError – Vivianaviviane 8/6 at 22:12

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning. Reference

Symphonist answered 15/7, 2016 at 5:44 Comment(1)

Applications are advised not to prompt the user about SSL errors, as the user is unlikely to be able to make an informed security decision and WebView does not provide any UI for showing the details of the error in a meaningful way. – Suzannasuzanne 8/2, 2021 at 13:41

the solution is to remove onReceivedSslError.

Balmuth answered 1/3, 2016 at 11:29 Comment(3)

I followed by this commit: github.com/gorbin/ASNE/commit/…. – Ullyot 3/3, 2016 at 7:55

But then your webview will show nothing if the website ssl certificate has problem. No content or warning shown to user – Caudal 25/11, 2019 at 2:39

I got this same warning from google that they will delete my app in 2 months, and I don't use onReceivedSslError – Vivianaviviane 8/6 at 22:12

I was using backendless library old version compile 'com.backendless:backendless:3.0.11' so i update to latest version compile 'com.backendless:backendless:3.0.24' and issue solved.

Probate answered 15/6, 2017 at 6:32 Comment(0)

Recommended topics

Hot tags