Google 为不安全的 TrustManager 播放安全警报
Google Play security alert for insecure TrustManager
在我的一个应用程序中,我使用带有自签名证书的 HTTPS,并遵循 android 开发人员培训网站 (https://developer.android.com/training/articles/security-ssl.html#UnknownCa) 中的示例代码。
我最近收到以下警告,指出当前实施不安全:
Security alert
Your app is using an unsafe implementation of the
X509TrustManager interface with an Apache HTTP client, resulting in a
security vulnerability. Please see this Google Help Center article for
details, including the deadline for fixing the vulnerability.
除了上面链接的示例代码之外,有人可以提供更多关于应该更新哪些内容的详细信息吗?
我应该实施自定义 TrustManager 吗?如果是,它应该验证什么?
尝试在你的代码中搜索"TrustManager",如果能找到none,大多数情况是因为包含了第三方库。
对我来说,这是因为使用了旧版本的 ACRA (https://github.com/ACRA/acra)。
对我来说,问题是 Mobilecore。我已从应用程序中删除库并上传新版本的 apk,警告已从 GPlay 开发者控制台中消失。
我还发现 ARCA 4.3 似乎可能是我的应用程序的罪魁祸首。
问题,有谁知道验证问题是否已解决?目前,我可以访问的 Play 商店并未导致 Google 向我发出警告,但我们发布该应用程序的合作伙伴之一收到了警告。在向我们的合作伙伴提供新的 APK 之前,我想验证问题是否已解决。
可能晚了,但希望它能帮助别人,在请求服务器之前调用这个方法。如果证书不信任,你有实施对话框或其他用户可以决定的东西,在这里我使用警报对话框。
public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){
try {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new X509TrustManager[]{new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
chain[0].checkValidity();
} catch (final Exception e) {
mActivity.runOnUiThread(new Runnable() {
@Override
public void run() {
AlertDialog.Builder builder = new AlertDialog.Builder(mActivity);
AlertDialog alertDialog = builder.create();
alertDialog.setCancelable(false);
String message = "There a problem with the security certificate for this web site.";
message += "\nDo you want to continue anyway?";
alertDialog.setTitle("SSL Certificate Error");
alertDialog.setMessage(message);
alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
acceptSSL = true;
return;
}
});
alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
acceptSSL = true;
task.onInterruptedDownload();
}
});
alertDialog.show();
}
});
while( !acceptSSL){
try{
Thread.sleep(1000);
} catch( InterruptedException er) { }
}
}
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}}, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
} catch (Exception e) { // should never happen
e.printStackTrace();
}
}
在我的一个应用程序中,我使用带有自签名证书的 HTTPS,并遵循 android 开发人员培训网站 (https://developer.android.com/training/articles/security-ssl.html#UnknownCa) 中的示例代码。
我最近收到以下警告,指出当前实施不安全:
Security alert
Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
除了上面链接的示例代码之外,有人可以提供更多关于应该更新哪些内容的详细信息吗?
我应该实施自定义 TrustManager 吗?如果是,它应该验证什么?
尝试在你的代码中搜索"TrustManager",如果能找到none,大多数情况是因为包含了第三方库。
对我来说,这是因为使用了旧版本的 ACRA (https://github.com/ACRA/acra)。
对我来说,问题是 Mobilecore。我已从应用程序中删除库并上传新版本的 apk,警告已从 GPlay 开发者控制台中消失。
我还发现 ARCA 4.3 似乎可能是我的应用程序的罪魁祸首。
问题,有谁知道验证问题是否已解决?目前,我可以访问的 Play 商店并未导致 Google 向我发出警告,但我们发布该应用程序的合作伙伴之一收到了警告。在向我们的合作伙伴提供新的 APK 之前,我想验证问题是否已解决。
可能晚了,但希望它能帮助别人,在请求服务器之前调用这个方法。如果证书不信任,你有实施对话框或其他用户可以决定的东西,在这里我使用警报对话框。
public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){
try {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new X509TrustManager[]{new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
chain[0].checkValidity();
} catch (final Exception e) {
mActivity.runOnUiThread(new Runnable() {
@Override
public void run() {
AlertDialog.Builder builder = new AlertDialog.Builder(mActivity);
AlertDialog alertDialog = builder.create();
alertDialog.setCancelable(false);
String message = "There a problem with the security certificate for this web site.";
message += "\nDo you want to continue anyway?";
alertDialog.setTitle("SSL Certificate Error");
alertDialog.setMessage(message);
alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
acceptSSL = true;
return;
}
});
alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
acceptSSL = true;
task.onInterruptedDownload();
}
});
alertDialog.show();
}
});
while( !acceptSSL){
try{
Thread.sleep(1000);
} catch( InterruptedException er) { }
}
}
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}}, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
} catch (Exception e) { // should never happen
e.printStackTrace();
}
}