Google Play Warning: SSL Error Handler Vulnerability
510 views
Skip to first unread message
sergio...@gmail.com
Aug 27, 2016, 1:48:06 AM8/27/16
to CodenameOne Discussions
I recently submitted an app in the Play Store, developed using codenameone and I received a warning email from Google with the following message:
"We detected that your app(s) listed at the end of this email are using an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. You can also see the list of affected apps, as well as details such as version numbers and class names, on the Alerts page in your Developer Console.
Your current implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.
What’s happening
Beginning November 25, 2016, Google Play will block publishing of any new apps or updates that contain this vulnerability. Your published APK version will remain unaffected, however any updates to the app will be rejected unless you address this vulnerability.
Action required
- To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
- If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
- After making changes, sign in to your Developer Console and submit the updated version of your app.
- Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly."
I was researching but unfortunately I didn't find anything about that. I think that maybe is an internal issue of the platform but not sure. What do you think?
Thanks in advance.
Sergio
Shai Almog
Aug 27, 2016, 1:57:45 AM8/27/16
to CodenameOne Discussions, sergio...@gmail.com
Do you use any cn1libs?
I just submitted a Codename One app the other day and didn't get that warning.
I just submitted a Codename One app the other day and didn't get that warning.
sergio...@gmail.com
Aug 27, 2016, 2:14:16 AM8/27/16
to CodenameOne Discussions, sergio...@gmail.com
Yes, I used ConnectionRequest to call some web service. I have been reviewing this code but is pretty simple and there is not any strange configuration about ssl or something related to this.
On the Google's email, talks about WebViewClient that is used on Android to setup the WebView but on my app I don't use any webview for this reason I think that maybe is an internal issue of the platform but I not sure.
Shai Almog
Aug 28, 2016, 12:23:33 AM8/28/16
to CodenameOne Discussions, sergio...@gmail.com
cn1libs not standard API usage: http://stackoverflow.com/questions/39177995/codenameone-google-play-warning-ssl-error-handler-vulnerability
Reply all
Reply to author
Forward
0 new messages