Menu
Im developing an Android App which contains Social Networking Login. After this issue, I removed the class which contains "WebViewClient.onReceivedSslError". But when I upload the App in Google Play Store, it got rejected with the following error.
"How to address WebView SSL Error Handler alerts in your apps."
Im also using the class for sending the mail in background without Intent. This uses "SSL" and "TrustManagerFactory.X509". Will this is the reason for rejection? I suppose if this is the reason for rejection, then I might get someother error like " App Rejected By Google Play Store due to unsafe implementation of the X509TrustManager".
Looking for support. Thanks in advance.
This is the message Im getting from Google Play.
Hello Google Play Developer,
We rejected VISApp, with package name com.avonmobility.visapp, for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.
Vulnerability APK Version(s) SSL Error Handler For more information on how to address WebView SSL Error Handler alerts, please see this Google Help Center article.
15 To confirm you’ve upgraded correctly, submit the updated version of your app to the Developer Console and check back after five hours to make sure the warning is gone.
While these vulnerabilities may not affect every app that uses this software, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known security issues, even if you're not sure the issues are relevant to your app.
Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.
If you feel we have made this determination in error, please reach out to our developer support team.
Best,
The Google Play Team
225
To Solve Google Play Warning: WebViewClient.onReceivedSslError handler
Not Always force to handler.proceed(); but you have to also include handler.cancel(); so user can avoid unsaif content from loading.
To Handle unsafe implementation of the WebViewClient.onReceivedSslError handler
use the following code
webView.setWebViewClient(new SSLTolerentWebViewClient());
webView.loadUrl(myhttps url);
Than
private class SSLTolerentWebViewClient extends WebViewClient {
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
AlertDialog.Builder builder = new AlertDialog.Builder(Tab1Activity.this);
AlertDialog alertDialog = builder.create();
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
message += " Do you want to continue anyway?";
alertDialog.setTitle("SSL Certificate Error");
alertDialog.setMessage(message);
alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
// Ignore SSL certificate errors
handler.proceed();
}
});
alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
alertDialog.show();
}
}
You Have To Alert User For SSL So Google Will Allow Your App To Do This
128
I also had SSLCertification issue at the time uploading singed apk.
you have to return true for all your trusted http hosts including 3rd party libraries http.
Here i am putting how i solved that issue, sorry for security i didn't put original path of links, these Link Helps me.
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] myTrustedAnchors = new X509Certificate[0];
return myTrustedAnchors;
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession arg1) {
if (hostname.equalsIgnoreCase("demo.mysite.com") ||
hostname.equalsIgnoreCase("prod.mysite.com") ||
hostname.equalsIgnoreCase("22.2.202.22:3333") ||
hostname.equalsIgnoreCase("cloud.cloudDeveSite.net") ||
hostname.equalsIgnoreCase("11.2.222.22:2222") ||
hostname.equalsIgnoreCase("multispidr.3rdPartyLibrary.io")) {
return true;
} else {
return false;
}
}
});
Mentioned all api's which having SSLCertification issue, you also have to mention 3rd party api's too, you will get those HTTP links in error at the time when you run that code.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
