Google 播放警告:SSL 错误处理程序漏洞对 WebViewClient.onReceivedSslErrorHandler SSL 有误报

Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL

我是共享 library project that just received notice 的贡献者,我们的一位客户从 Google Play 商店收到此警告,

Hello Google Play Developer, In July, the app submissions listed at the end of this email were rejected due to an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. This implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

在查看扩展 WebViewClient 的 AuthorizationWebViewClient 时,我们没有实现 onReceivedSslErrorHandler,这意味着我们属于默认实现,将此库放在明文中。

如果这是误报,或者是否需要对此库进行更改,我们能否得到确认?

更新: 这是由于存在此漏洞时使用的 SDK 版本要旧得多,当前的代码库没有此问题,因此断开连接。

我不确定有问题的具体应用是什么,但有些应用存在易受攻击的问题 com.microsoft.services.msa.AuthorizationRequest$OAuthDialog$AuthorizationWebViewClient。

例如,反汇编一个应用程序的代码表明它实际上有一个 onReceivedSslErrorHandler 实现。

.method public onReceivedSslError(Landroid/webkit/WebView;Landroid/webkit/SslErrorHandler;Landroid/net/http/SslError;)V
    .registers 4
    .param p1, "view"    # Landroid/webkit/WebView;
    .param p2, "handler"    # Landroid/webkit/SslErrorHandler;
    .param p3, "error"    # Landroid/net/http/SslError;

    .prologue
    .line 143
    invoke-virtual {p2}, Landroid/webkit/SslErrorHandler;->proceed()V

    .line 144
    return-void
.end method