SSL Warning from google play

android ssl webview google-play android-security
12,260

Solution 1

I have received the same warning today, and it informs me that the issue comes from the SDK of one of my ad networks (InMobi, I'm really considering dropping them as they have a lot of fraudulent, auto-redirect banners, and now this...):

com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient

What is the affected class in your case? If it is one of your own classes, you'll have to read the technical documentation and fix your implementation.

If, like me, you are just the victim of one of your external libraries, contact the developers to ask them to provide a fixed library (or drop the library).

Solution 2

You should first check that you use the WebViewClient.onReceivedSslError handler properly.

If you're not using the WebViewClient library or if you're already using it properly, the problem is probably coming from a third party library. You could first use this linux command in the root directory of your project to identify which libraries could be responsible for the problem:

find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;

This will list the files inside all your jar files having the "OnReceivedSslError" string.

After that, you may check if the Google recommandations to handle the vulnerability are respected in each matched file.

Solution 3

If you don't need to handle things in onReceivedSslErr(WebView,SslErrorHandler,SslError), just remove this method to avoid google play warning.Otherwise,you also should not proceed it directly. Here is an example by @sakiM,Webview avoid security alert from google play upon implementation of onReceivedSslError

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

If the method onReceivedSslErr has been invoked by 3rd library, just contact the provider.

Share:
12,260
Vishal Chaudhari
Author by

Vishal Chaudhari

Updated on June 06, 2022

Comments

  • Vishal Chaudhari
    Vishal Chaudhari about 2 years

    Got warning from google play.

    How can i handle "SSL Error Handler Vulnerability" of unsafe implementation of the WebViewClient.onReceivedSslError handler.

    "Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise."

  • Sohan
    Sohan over 8 years
    Hey @Sebastien. I'm from the InMobi team. You got the SSL error because of the changes to the google play store which nor require https. Just download our latest SDK and this will be fine :)
  • Emanuel Moecklin
    Emanuel Moecklin over 8 years
    I agree on the fraudulent, auto-redirect ads. Got a lot of user complaints and bad ratings because of InMobi ads.
  • Austyn Mahoney
    Austyn Mahoney over 8 years
    @Sohan, the error was not because of changes to the Play Store. This makes it seem like it was Google's fault. Your SDK had a critical vulnerability that allowed for MitM attacks in it, Google just alerted developers to the issue.
  • Antimony
    Antimony over 8 years
    The alert talks about an unsafe onReceivedSslError implementation. This has nothing to do with OpenSSL.
  • Stéphane
    Stéphane over 8 years
    I confirm @Antimony comment

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to bypass SSL certificate validation in Android app?
Google Play Security Alert - Your app is using an unsafe implementation of the HostnameVerifier
How can load https url without use of ssl in android webview
android webview with client certificate
Webview avoid security alert from google play upon implementation of onReceivedSslError
Google Play security alert for insecure TrustManager
How to troubleshoot crashes detected by Google Play Store for Flutter app
Getting error while implementing web-view in flutter applications
Flutter Android: Unable to fetch in-app products from Google Play
Admob in flutter app: "Error while connecting to ad server: SSL handshake aborted"