Google Play 安全警报 - 您的应用正在使用不安全的 HostnameVerifier 实现 [英] Google Play Security Alert - Your app is using an unsafe implementation of the HostnameVerifier

问题描述

最近我的一个应用收到了来自 Google Play 的安全警报，如下所示.

Recently one of my app got a security alert from Google Play as below.

您的应用正在使用 HostnameVerifier 的不安全实现.并参考 Google Play 帮助中心 文章的链接，了解有关漏洞修复和截止日期的详细信息.

You app is using an unsafe implementation of the HostnameVerifier. And refer a link to Google Play Help Center article for details regarding to fixing and deadline of vulnerability.

下面是我的代码.

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){ 
    public boolean verify(String arg0, SSLSession arg1) {
        return true;
}}); 

任何人都可以举例说明，我应该做哪些更改来修复此警告?

Anyone can explain with example about, what changes should I do to fix this warning?

推荐答案

同样 - 在 APK 中检测到不安全的主机名验证器

Same here - Insecure Hostname Verifier Detected in APK

您的应用正在使用不安全的 HostnameVerifier 实现.请有关详细信息，请参阅此 Google 帮助中心文章，包括修复漏洞的最后期限.我没有使用 HostnameVerifier而不是调用 setDefaultHostnameVerifier.此外 - 我使用 OKHTTP用于 http 请求的库.我希望定义 TrustManager 能解决这个问题.

Your app is using an unsafe implementation of HostnameVerifier. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability. Im not using HostnameVerifier and not calling setDefaultHostnameVerifier. Moreover - Im using OKHTTP lib for http-requests. I hope that defining TrustManager will solve this issue.

由于我没有继承 HostnameVerifier 或调用 setDefaultHostnameVerifier() 我假设它依赖于一些 3rd 方库.由于我无法检测到这样的库，我想我会尝试使用以下代码添加一个类

Since I'm not subclassing HostnameVerifier or calling setDefaultHostnameVerifier() I assume it relies to some 3rd party lib. Since I can't detect such lib I think I will try to add a class with following code

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    public boolean verify(final String hostname, final SSLSession session) {
        if (/* check if SSL is really valid */)
            return true;
        else
            return false;
    }
});

到我的项目，看看它是否能解决问题.
所以我做到了，此外，我还添加了覆盖方法的每个 webView

to my project and will see if it fixes the issue.
So I did it and additionally to every webView I've added overridden method

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    // the main thing is to show dialog informing user
    // that SSL cert is invalid and prompt him to continue without 
    // protection: handler.proceed();
    // or cancel: handler.cancel();
    String message;
    switch(error.getPrimaryError()) {
        case SslError.SSL_DATE_INVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_date_invalid);
            break;
        case SslError.SSL_EXPIRED:
            message = ResHelper.getString(R.string.ssl_cert_error_expired);
            break;
        case SslError.SSL_IDMISMATCH:
            message = ResHelper.getString(R.string.ssl_cert_error_idmismatch);
            break;
        case SslError.SSL_INVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_invalid);
            break;
        case SslError.SSL_NOTYETVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_not_yet_valid);
            break;
        case SslError.SSL_UNTRUSTED:
            message = ResHelper.getString(R.string.ssl_cert_error_untrusted);
            break;
        default:
            message = ResHelper.getString(R.string.ssl_cert_error_cert_invalid);
    }
    mSSLConnectionDialog = new MaterialDialog.Builder(getParentActivity())
            .title(R.string.ssl_cert_error_title)
            .content(message)
            .positiveText(R.string.continue_button)
            .negativeText(R.string.cancel_button)
            .titleColorRes(R.color.black)
            .positiveColorRes(R.color.main_red)
            .contentColorRes(R.color.comment_grey)
            .backgroundColorRes(R.color.sides_menu_gray)
            .onPositive(new MaterialDialog.SingleButtonCallback() {
                @Override
                public void onClick(MaterialDialog materialDialog, DialogAction dialogAction) {
                    mSSLConnectionDialog.dismiss();
                    handler.proceed();
                }
            })
            .onNegative(new MaterialDialog.SingleButtonCallback() {
                @Override
                public void onClick(MaterialDialog materialDialog, DialogAction dialogAction) {
                    handler.cancel();
                }
            })
            .build();
    mSSLConnectionDialog.show(); 
}

到

mWebView.setWebViewClient(new WebViewClient() {
... // other corresponding overridden methods
}

最后，谷歌说:

安全扫描完成
未检测到 APK 158 的已知漏洞.

SECURITY SCAN COMPLETE
No known vulnerabilities were detected for APK 158.

但是我不确定是什么代码实现的，HostNameVerifier 或 mWebView.setWebViewClient 的 onReceivedSslError().注意:HostNameVerifier.setDefaultHostnameVerifier() 不应该总是返回 true 就像它在你的代码中一样！它必须实现一些逻辑来检查 SSL 是否一切正常并返回 true 或 false.这是必不可少的.

However I'm not sure what code made it, HostNameVerifier or onReceivedSslError() of mWebView.setWebViewClient. Note: HostNameVerifier.setDefaultHostnameVerifier() should not return true always like it is in your code! It has to implement some logic to check if its all OK with SSL and return true or false. It is essential.

这篇关于Google Play 安全警报 - 您的应用正在使用不安全的 HostnameVerifier 实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！