Google Play 警告:WebViewClient.onReceivedSslError 处理程序 [英] Google Play Warning: WebViewClient.onReceivedSslError handler
问题描述
我最近收到一封来自 Google 的电子邮件,主题如下:Google Play 警告:SSL 错误处理程序漏洞".在这封电子邮件中,Google 解释说我的应用程序有一个 ["WebViewClient 的不安全实现.onReceivedSslError 处理程序.具体来说,该实现会忽略所有 SSL 证书验证错误,使您的应用程序容易受到人在-中间攻击.攻击者可以更改受影响的 WebView 的内容,读取传输的数据(例如登录凭据),并使用 JavaScript 在应用程序内执行代码."]....................
I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript."] ....................
我在我的代码中使用:
webView.setWebViewClient(new WebViewClient() {
@Override
public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {}
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed();
}
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
return super.shouldOverrideUrlLoading(view, url);
}
@Override
public void onPageFinished(WebView view, String url) {
super.onPageFinished(view, url);
// My code
}
});
//我的代码
webview_ClientPost(webView, "https://secure.payu.in/_payment", mapParams.entrySet());
为什么 Google Play 会发送有关 SSL 的警告?这是我的代码问题还是 PayUMoney 问题?
Why the Google play sending this warning regarding SSL? Is this my code issue or PayUMoney issue?
推荐答案
我希望这还为时不晚..那个警告是关于你应该通知用户将转到一个证书无效的页面,你不应该直接继续.
I hope is not too late for this.. that warning is about you should notify user is going to a page with invalid cert, you should not proceed it directly.
你可以实现一个像这样的警告对话框:
You can implment an alert dialog something like this:
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
这取自此链接中的 sakiM 答案:Webview 在执行 onReceivedSslError 时避免来自 google play 的安全警报
This was taken from sakiM answers in this link: Webview avoid security alert from google play upon implementation of onReceivedSslError
这篇关于Google Play 警告:WebViewClient.onReceivedSslError 处理程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!