Webview 在实现 onReceivedSslError 时避免来自 google play 的安全警报 [英] Webview avoid security alert from google play upon implementation of onReceivedSslError

问题描述

我有一个可以在 webview 中打开的链接.问题是它无法打开，直到我像这样覆盖 onReceivedSslError :

I have a link which will open in webview. The problem is it cannot be open until I override onReceivedSslError like this:

 @Override
        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
            handler.proceed();
        }

我收到来自 google play 的安全警报说:

I am getting security alert from google play saying:

安全警报您的应用程序具有 WebViewClient.onReceivedSslError 处理程序的不安全实现.具体来说，该实现会忽略所有 SSL 证书验证错误，从而使您的应用容易受到中间人攻击.攻击者可以更改受影响的 WebView 的内容，读取传输的数据(例如登录凭据)，并使用 JavaScript 在应用内执行代码.

Security alert Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

要正确处理 SSL 证书验证，请更改代码以在服务器提供的证书满足您的期望时调用 SslErrorHandler.proceed()，否则调用 SslErrorHandler.cancel().包含受影响应用和类的电子邮件提醒已发送至您的开发者帐户地址.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. An email alert containing the affected app(s) and class(es) has been sent to your developer account address.

请尽快解决此漏洞并增加升级后的APK的版本号.有关 SSL 错误处理程序的更多信息，请参阅开发人员帮助中心中的文档.对于其他技术问题，您可以发布到 https://www.stackoverflow.com/questions 并使用标签android-security"和SslErrorHandler".如果您使用的是负责此问题的第 3 方库，请通知第 3 方并与他们合作解决问题.

Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. For more information about the SSL error handler, please see our documentation in the Developer Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags "android-security" and "SslErrorHandler." If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.

要确认您已正确升级，请将更新后的版本上传到开发者控制台，并在五小时后回来查看.如果应用程序未正确升级，我们将显示警告.

To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. If the app hasn't been correctly upgraded, we will display a warning.

请注意，虽然这些特定问题可能不会影响每个使用 WebView SSL 的应用，但最好及时更新所有安全补丁.存在使用户面临被入侵风险的漏洞的应用可能被视为违反内容政策和开发者分发协议第 4.4 节的危险产品.

Please note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

请确保发布的所有应用都符合开发者分发协议和内容政策.如果您有任何问题或疑虑，请通过 Google Play 开发者帮助中心联系我们的支持团队.

Please ensure all apps published are compliant with the Developer Distribution Agreement and Content Policy. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center.

如果我删除 onReceivedSslError (handler.proceed())，那么页面将不会打开.

If I remove onReceivedSslError (handler.proceed()), then page won't open.

无论如何我可以在 webview 中打开页面并避免安全警报.

推荐答案

要正确处理 SSL 证书验证，请将您的代码更改为每当证书提交时调用 SslErrorHandler.proceed()服务器满足您的期望，并调用SslErrorHandler.cancel() 否则.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

正如电子邮件所说，onReceivedSslError 应该处理用户将转到具有无效证书的页面，例如通知对话框.您不应该直接进行.

As email said, onReceivedSslError should handle user is going to a page with invalid cert, such like a notify dialog. You should not proceed it directly.

例如，我添加了一个警告对话框来让用户确认，似乎 Google 不再显示警告.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

<小时>

有关电子邮件的更多说明.

---

More explain about the email.

具体来说，实现会忽略所有 SSL 证书验证错误，使您的应用容易受到中间人攻击.

Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks.

电子邮件说默认工具忽略了一个重要的 SSL 安全问题.所以我们需要在我们自己的使用 WebView 的应用程序中处理它.通过警告对话框通知用户是一种简单的方法.

The email says the default implement ignored an important SSL security problem. So we need to handle it in our own app which used WebView. Notify user with a alert dialog is a simple way.

这篇关于Webview 在实现 onReceivedSslError 时避免来自 google play 的安全警报的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！