的WebView避免谷歌安全警告在实施onReceivedSslError发挥 [英] Webview avoid security alert from google play upon implementation of onReceivedSslError
问题描述
我有一个链接,这将在web视图打开。现在的问题是,直到我重写onReceivedSslError这样它不能打开:
@覆盖
公共无效onReceivedSslError(的WebView视图,SslErrorHandler处理器,SslError错误){
handler.proceed();
}
从谷歌
我收到安全警报玩话说:
安全警报
您的应用程序有一个不安全的实施WebViewClient.onReceivedSslError处理程序。具体来说,实施忽略所有SSL证书验证错误,使您的应用程序容易受到人在这方面的中间人攻击。攻击者可以改变影响的WebView内容,请发送的数据(如登录凭据),并执行使用JavaScript的应用程序内code。
要正确处理SSL证书验证,改变你的code调用SslErrorHandler.proceed()每当服务器psented证书$ P $符合您的期望,以及()调用,否则SslErrorHandler.cancel。包含受影响的应用程序(S)和类(ES)的电子邮件警报已发送到您的开发者帐户地址。
请尽快消除此漏洞并增加升级的APK的版本号。有关SSL错误处理程序的更多信息,请参阅我们的开发者帮助中心的文档。对于其他技术问题,您可以张贴到 https://www.stackoverflow.com/questions ,并用标签机器人的安全性和SslErrorHandler。如果您使用的是第三方库,该库负责此,请通知第三方,并与他们合作,以解决这一问题。
要确认你已经正确升级,上传更新版本的开发者控制台,五小时后回来查看。如果应用程序没有被正确升级,我们会显示一个警告。
请注意,尽管这些具体的问题可能不会影响使用的WebView SSL每一个应用程序,它最好留到所有最新的安全补丁。有漏洞,导致使用者的入侵风险的应用可能会被认为是危险品,违反了内容政策和开发者分发协议第4.4条。
请确保发布的所有应用程序都符合开发者分发协议和内容政策。如果您有任何疑问,请联系我们的支持团队通过谷歌Play开发者支持中心。如果我删除onReceivedSslError(handler.proceed()),页面无法打开。结果
反正我有可以打开的WebView页面,并避免安全警报。解决方案
要正确处理SSL证书验证,改变你的code到
调用SslErrorHandler.proceed()每当证书$ P $由psented
服务器满足您的期望,并调用
SslErrorHandler.cancel()其他。随着电子邮件中表示,
onReceivedSslError应该通知用户将要使用无效证书的页面。你不应该直接进入它。例如,我添加一个警告对话框,使用户证实,似乎谷歌不再显示警告。
@覆盖
公共无效onReceivedSslError(的WebView视图,最终SslErrorHandler处理器,SslError错误){
最后AlertDialog.Builder建设者=新AlertDialog.Builder(本);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton(继续,新DialogInterface.OnClickListener(){
@覆盖
公共无效的onClick(DialogInterface对话,诠释它){
handler.proceed();
}
});
builder.setNegativeButton(取消,新DialogInterface.OnClickListener(){
@覆盖
公共无效的onClick(DialogInterface对话,诠释它){
handler.cancel();
}
});
最后AlertDialog对话框= builder.create();
dialog.show();
}I have a link which will open in webview. The problem is it cannot be open until I override onReceivedSslError like this:
@Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); }I am getting security alert from google play saying:
Security alert Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. An email alert containing the affected app(s) and class(es) has been sent to your developer account address. Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. For more information about the SSL error handler, please see our documentation in the Developer Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags "android-security" and "SslErrorHandler." If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue. To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. If the app hasn't been correctly upgraded, we will display a warning. Please note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement. Please ensure all apps published are compliant with the Developer Distribution Agreement and Content Policy. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center.
If I remove onReceivedSslError (handler.proceed()), page won't open.
Is there anyway I can open page in webview and avoid security alert.解决方案To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
As email said,
onReceivedSslErrorshould notify user is going to a page with invalid cert. You should not proceed it directly.For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.
@Override public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) { final AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage(R.string.notification_error_ssl_cert_invalid); builder.setPositiveButton("continue", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { handler.proceed(); } }); builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { handler.cancel(); } }); final AlertDialog dialog = builder.create(); dialog.show(); }
这篇关于的WebView避免谷歌安全警告在实施onReceivedSslError发挥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
