I am getting security alert from google play saying:
Your APK has been rejected for containing security vulnerabilities, which violates the Malicious Behavior policy. If you submitted an update, the previous version of your app is still live on Google Play.
If I remove onReceivedSslError (handler.proceed()), page won't open.
Is there anyway I can open page in webview and avoid security alert.
and my website to put in my app need http or https ? I'm using http://mywebsite...
If you use onReceivedSslError method, then please remove onReceivedSslError method and make new APK.
Change onReceivedSslError() to:
#Override
public void onReceivedSslError(WebView v, final SslErrorHandler handler, SslError er) {
final AlertDialog.Builder builder = new AlertDialog.Builder(getApplicationContext());
builder.setMessage("Problem with Security");
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
Hope this will help you.
Related
I released a production Android app last month, but I had trouble with the SSL Error Handler.
I followed Stackoverfollow's and Google's tutorials, however Google doesn't still approve my app (note: this QA is not a duplicate).
https://support.google.com/faqs/answer/7071387
SSL Error Handler WebView Android
My code is implemented the following:
Any Fragment or Activity that uses WebViewClient, I've controlled SSL Error like this
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
LogI("onReceivedSslError: " + error.getCertificate());
AlertDialog.Builder builder = new AlertDialog.Builder(ctx);
AlertDialog alertDialog = builder.create();
String message;
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
case SslError.SSL_DATE_INVALID:
message = "The date of the certificate is invalid.";
break;
default:
message = "A generic error occurred.";
break;
}
message += " Do you want to continue anyway?";
alertDialog.setTitle("SSL Certificate Error");
alertDialog.setMessage(message);
alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", (dialog, which) -> handler.proceed());
alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", (dialog, which) -> handler.cancel());
alertDialog.show();
}
So, Why is my app not approved? What should I do next?
Thank you for your advice!
Update 1:
I released my app in 2019 and updated it many times (there was no problem). But from 2021/5 I've got this problem.
May these errors are from old APKs, AABs version, remove/deactivate it before submitting new APKs, AABs
you have to call either handler.cancel(); (thats for your case) or super.onReceivedSslError(view, handler, error); straight inside onReceivedSslError. HERE you have some doc, in which:
The host application must call either SslErrorHandler#cancel or SslErrorHandler#proceed
and also
Application overrides of this method may display custom error pages or silently log issues, but it is strongly recommended to always call SslErrorHandler#cancel and never allow proceeding past errors.
without any of these calls some Google bot which checks apps may think, that you are disabling any SSL validation at all, which may be insecure for user
This is the code I used in my App and it was accepted. The only difference I am seeing is the try-catch block. My suggestion will be to try a simpler version on Play Store first, then update that with the specific type error message.
#Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
try{
final AlertDialog.Builder builder = new AlertDialog.Builder(PaymentActivity.this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}catch (Exception e){
e.printStackTrace();
}
}
When I try to publish my app, the Google Play Console says that I have a vulnerability in my app due to SSL Error Handler. I followed the Google Help Center solution https://support.google.com/faqs/answer/7071387, and tried to publish again, but no success. I got in touch with Google Play Support, and they have answered me:
I took a look at your app, and version PET App of 10 has the following class, which contains a vulnerable version of SslErrorHandler:
And here is the code I'm using to handle the SslError:
#Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(SigpetActivity.this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
builder.setMessage(message+" Clique em 'CONTINUAR' para permitir o acesso ao Sigpet");
builder.setPositiveButton("continuar", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancelar", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
finish();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
I'm using no third party library for this, just android webkit WebClient.
How can I fix it to let them allow me to publish my app?
My guess is that Google doesn't like you calling proceed() or cancel() asynchronously in an onClick callback. Instead, you should do it synchronously in the onReceivedSslError() method itself.
Google play message:
This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.
Vulnerability APK Version(s)
SSL Error Handler
For more information about the SSL error handler, please see this Android Developers Help Center article.
22
I already updated webviewclient code
Here is my code:
myWebView.setWebViewClient(new WebViewClient() {
#Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError
error) {
final AlertDialog.Builder builder = new AlertDialog.Builder
(MyActivity.this);
builder.setMessage(R.string.sslerror_msg);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
});
Please share solution if any one face this kind of problem. Thanks in advance.
After lots of finding I found a solution. If you got this type error or notification message from google play-store during uploading APK then follow the following steps to solved this issue.
Solution:
1. If you use webView & redirect a website then add this code in your WebViewClient
myWebView.setWebViewClient(new WebViewClient() {
#Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError
error) {
final AlertDialog.Builder builder = new AlertDialog.Builder
(MyActivity.this);
builder.setMessage(R.string.sslerror_msg);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
});
You got this error by using any third party library like InMobi. For InMobi use latest SDK of InMobi. This issue will be resolved in latest SDK of InMobi.
Download InMobi SDK: http://www.inmobi.com/sdk/
For more information of InMobi follow this link: https://support.inmobi.com/monetize/integration/android/android-sdk-integration-guide/
I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler"]
and they recommended me to ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise"]
here's my implementation of the method :
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed();
}
any help please ?
To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.
#Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
message += " Do you want to continue anyway?";
builder.setTitle("SSL Certificate Error");
builder.setMessage(message);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
#Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
After this changes it will not show warning. Reference
the solution is to remove onReceivedSslError.
I was using backendless library old version compile 'com.backendless:backendless:3.0.11' so i update to latest version compile 'com.backendless:backendless:3.0.24' and issue solved.
I have an application that uses the Facebook SDK for Android to login into my application. But I am having some problems in checking whether the user is already logged-in or not. After the login page, the main interface will be displayed to the user. What I want is that, if the user has logged-in in its past interaction with application, the next time the application is launched, no more login screen just the main interface. So at start-up my application should check whether a user is logged in or not. How will I do it?
I tried using mFacebook.isSessionValid(), but it's always returning a false.
You can try the following code :
if(mFacebook.isSessionValid()) {
onFacebookClick();
}
private void onFacebookClick() {
if (mFacebook.isSessionValid()) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage("Delete current Facebook connection?")
.setCancelable(false)
.setPositiveButton("Yes",new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog,int id) {
fbLogout();
}
})
.setNegativeButton("No",new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog,int id) {
dialog.cancel();
facebook_btn.setText(getResources().getString(R.string.signinout));
}
});
final AlertDialog alert = builder.create();
alert.show();
} else {
facebook_btn.setText(getResources().getString(R.string.signin));
mFacebook.authorize(this, PERMISSIONS, -1,new FbLoginDialogListener());
}
}