Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Play Warning: SSL Error Handler Vulnerability #174

Closed
indication opened this issue Feb 29, 2016 · 1 comment
Closed

Google Play Warning: SSL Error Handler Vulnerability #174

indication opened this issue Feb 29, 2016 · 1 comment
Assignees
@indication
Labels
bug
Milestone
Version 3.19

Comments

@indication
Copy link
Owner

Hello Google Play Developer,

Your app listed at the end of this email has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.

For more information about the SSL error handler, please see our documentation in the Android Developers Help Center. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “SslErrorHandler.”

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been upgraded correctly, we will display a warning.

While these specific issues may not affect every app that uses WebView SSL, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered Dangerous Products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Regards,

The Google Play Team
@indication
Copy link
Owner Author

This is spec.
We allow to access self-signed site thst user specified.
But there is nessesarry to prompt to user.

@indication indication added the bug label Jun 19, 2016
@indication indication added this to the Version 4.0 milestone Jun 19, 2016
@indication indication self-assigned this Jun 19, 2016
indication pushed a commit that referenced this issue Jun 19, 2016
Add prompt for untrusted SSL connection on web view
3123d86 
Fix Google Play Warning: SSL Error Handler Vulnerability (#174)
@indication indication mentioned this issue Jun 19, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@indication indication

Labels
bug
Projects
None yet
Milestone
Version 3.19
Development

No branches or pull requests
1 participant
@indication