APK在GooglePlay上进行版本更新时,收到Google发来的Email警告,原文如下:
Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
To correct the issue, please update your apps code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. Please have the following points in mind while checking the validity of the certificate:
An app may be flagged if it does not contain sufficient checks for certificate validity; for instance, just checking the return value of getPrimaryError is not sufficient to establish the validity of the certificate.
It is not safe to ignore most SSL errors returned by SslError.getPrimaryError. Please note that getPrimaryError returns the most severe error in a set of errors, so if getPrimaryError() != SSL_UNTRUSTED is true, the connection may still contain an SSL_UNTRUSTED error in the set of errors.
If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
For more information about the SSL error handler, please see our documentation in the Android Developers Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.”
While these specific issues may not affect every app that uses WebView SSL, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”
For clarification on steps you need to take to resolve this issue, you can contact our developer support team.大致意思应用中可能存在漏洞,当访问一些链接时,对于一些没有可靠证书的链接,可能存在数据泄露,需要开发者处理,可以发现Google在安全领域这一块越来越重视。并且Google在邮件还发了引发了不安全的那些类,这就极大地方便了开发者去修正项目中存在的不安全问题。经过查阅项目代码,找到引发的问题,如下:
class MyWebViewClient extends WebViewClient {
....
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
switch (error.getPrimaryError()) {
case SslError.SSL_IDMISMATCH: //主机名不匹配
case SslError.SSL_DATE_INVALID: //证书日期无效
case SslError.SSL_EXPIRED: //证书已过期
handler.cancel();
break;
default:
handler.proceed();
break;
}
}
}这个代码之前上架时是没有问题的,现在要对其修改,其中涉及两个重要API如下:
SslErrorHandler.cancel( )
停止加载问题页面
SslErrorHandler.proceed( )
忽略SSL证书错误,继续加载页面常见的解决方案如下:
方案一,通过提供对话框,通知用户,让用户自己决定要不要加载没有证书的网站,如下:
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();方案二,不让用户选择,默认就不加载,如下:
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.cancel();
}网上有开发者反应,方案一依然可能会收到Google的警告邮件,不能上架,项目中采用的是方案二,默认就不加载,这样就不会收到警告邮件。需要注意的是,这种处理之后,需要将之前项目中涉及到网页访问的功能大致过一遍,检查一下开发的功能有没有受到影响。
5219
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
