在Google Play中发布颤动应用程序时出现TrustManager漏洞 [英] TrustManager vulnerability when flutter app published in Google Play
问题描述
我最近在Google Play上发布了一个应用程序,我收到了Google Play小组的一封电子邮件,内容为:...并且发现您的应用程序使用了包含用户安全漏洞的软件.具有这些漏洞的应用可能会泄露用户信息或损坏用户的设备,并且可能被视为违反了我们的恶意行为政策.
I recently published an application on google play, and I received an email from the google play team which says: ...and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.
以下是问题列表以及您最近提交的文件中检测到的相应APK版本.请尽快迁移您的应用以使用更新的软件,并增加已升级APK的版本号.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.
漏洞:TrustManager
Vulnerability : TrustManager
我的应用程序是使用Flutter开发的...
My application was developed with Flutter...
如果您能帮助我,我真的不知道该如何解决.
I really don't know how to fix this, if you can help me.
pubspec.yaml
pubspec.yaml
name: ...
description: ...
version: 1.0.1+2
environment:
sdk: ">=2.1.0 <3.0.0"
dependencies:
flutter:
sdk: flutter
# The following adds the Cupertino Icons font to your application.
# Use with the CupertinoIcons class for iOS style icons.
cupertino_icons: ^0.1.2
#bottom_navy_bar: ^5.3.2
http: ^0.12.2
shared_preferences: ^0.5.6+1
location: ^2.3.5
sqflite: ^1.2.0
path_provider: ^1.6.0
image_picker: ^0.6.3+1
intl: ^0.16.1
country_code_picker: ^1.2.4
multi_image_picker: ^4.6.1
firebase_auth: ^0.16.1
image_cropper: ^1.2.1
validators: ^2.0.0+1
firebase_messaging: ^6.0.9
esys_flutter_share: ^1.0.2
photo_view: ^0.9.1
material_design_icons_flutter: ^3.4.4895
url_launcher: ^5.4.1
cached_network_image: ^2.0.0
encrypt: ^4.0.0
flutter_local_notifications: ^1.1.6
r_scan: ^0.1.3+2
permission_handler: ^4.2.0+hotfix.3
native_contact_picker: ^0.0.6
qr_utils:
path: packages/qr_utils
libphonenumber: ^1.0.1
flutter_cache_manager: ^1.1.3
csv: ^4.0.3
excel: ^1.0.2
pdf: ^1.5.0
printing: any
flutter_swiper: ^1.1.6
flutter_rating_bar: ^3.0.1+1
flutter_native_admob: ^2.1.0
dev_dependencies:
flutter_test:
sdk: flutter
flutter:
uses-material-design: true
assets:
- assets/images/
代码
String url = "https://exemple.com/resources/users/1";
try {
final response = await http.get(url);
if (response.statusCode == 200) {
//parse user
}
} on SocketException {
} catch (ex) {
print(ex.toString());
}
return null;
颤抖的医生
[√] Flutter (Channel stable, v1.17.3, on Microsoft Windows [version 10.0.10240], locale fr-FR)
• Flutter version 1.17.3 at C:\souces\flutter
• Framework revision b041144f83 (8 weeks ago), 2020-06-04 09:26:11 -0700
• Engine revision ee76268252
• Dart version 2.8.4
[√] Android toolchain - develop for Android devices (Android SDK version 30.0.0)
• Android SDK at D:\android\android-sdk-windows
• Platform android-30, build-tools 30.0.0
• ANDROID_HOME = D:\android\android-sdk-windows
• Java binary at: C:\Program Files\Android\Android Studio\jre\bin\java
• Java version OpenJDK Runtime Environment (build 1.8.0_242-release-1644-b01)
• All Android licenses accepted.
[√] Android Studio (version 4.0)
• Android Studio at C:\Program Files\Android\Android Studio
• Flutter plugin version 46.0.2
• Dart plugin version 193.7361
• Java version OpenJDK Runtime Environment (build 1.8.0_242-release-1644-b01)
[√] VS Code (version 1.46.0)
• VS Code at C:\Users\User\AppData\Local\Programs\Microsoft VS Code
• Flutter extension version 3.12.2
[√] Connected device (1 available)
• TECNO WX4 • 0257309828005184 • android-arm • Android 7.0 (API 24)
• No issues found!
推荐答案
它可能是由 r_scan 库引起的,因为它使用了 X509TrustManager 的自定义实现.参见此问题.
It's probably caused by the r_scan library as it uses custom implementation of the X509TrustManager. See this issue.
这篇关于在Google Play中发布颤动应用程序时出现TrustManager漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
