android Google 播放警告:SSL 错误处理程序漏洞

android Google Play Warning: SSL Error Handler Vulnerability

我在我的应用程序中使用 gorbin/ASNE SDK。我最近收到一封来自 Google 的电子邮件,主题如下:"Google Play Warning: SSL Error Handler Vulnerability"。在这封电子邮件中,Google 解释说我的应用有一个 ["unsafe implementation of the WebViewClient.onReceivedSslError handler"]

他们推荐我去 ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise"]

这是我对该方法的实现:

   public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
                handler.proceed();
            }

有什么帮助吗?

解决办法是去掉 onReceivedSslError

要正确处理 SSL 证书验证,请更改您的代码以在服务器提供的证书满足您的期望时调用 SslErrorHandler.proceed(),否则调用 SslErrorHandler.cancel()

例如,我添加了一个警告对话框让用户确认并且似乎 Google 不再显示警告。

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

此更改后将不会显示警告。

我正在使用 backendless 库旧版本编译 'com.backendless:backendless:3.0.11' 所以我 update 到最新版本编译 'com.backendless:backendless:3.0.24' 并解决问题。