Geek Answers Handbook

Google Play Developer Console rejected my app update

I am trying to understand and fix why my application is rejected. I know this about SSL, but I cannot find which dependency causes it. I use the following setting:

  • Android N (24)
  • The cloth.
  • Mixpanel
  • Quickblox
  • Crashlytics
  • Analytics

Any help would be appreciated.

Update: This is from the notification section.

Safety warning

Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. In particular, the implementation ignores all SSL certificate verification errors, making your application vulnerable to man-in-the-middle attacks. An attacker can modify the affected WebView content, read the transmitted data (for example, login credentials), and execute code inside the application using JavaScript. To handle the SSL certificate correctly, change your code to call SslErrorHandler.proceed () when the certificate provided by the server meets your expectations, and call SslErrorHandler.cancel () otherwise. An email notification containing the affected applications and classes (s) has been sent to your developer account address. Please fix this vulnerability as soon as possible and increase the version number of the updated APK. For more information about the SSL error handler, see our documentation in the Developer Help Center. For other technical issues, you can send a message https://www.stackoverflow.com/questions and use the tags "android-security" and "SslErrorHandler". If you use the third-party library responsible for this, report it to a third party and work with them to solve the problem. To confirm that you have updated correctly, upload the updated version to the developer console and take a look back after five hours. If the application has not been updated correctly, a warning appears. Please note that while these specific problems may not affect every application using WebView SSL, it is best to stay up to date with all security patches. Applications with vulnerabilities that put users at risk of compromise may be considered in violation of our malicious conduct policies and section 4.4 of the Software Distribution Agreement. Please ensure that all published applications comply with the Software Distribution Agreement and Developer Program Policies. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center. Affects APK version 2.

+7
android android-security sslerrorhandler google-console-developer
source share
2 answers

The problem was BackEndless after fixing the patch version.

+1
source share

You need to update the WebViewClient handler as described below. If you haven’t used webview with onReceivedSslError () in your application, check if you are using the latest SDK to update the version in accordance with the new Google security policy.

To properly handle the SSL certificate, change your code to call SslErrorHandler.proceed () when the certificate provided by the server meets your expectations and otherwise calls SslErrorHandler.cancel ().

For example, I am adding a warning dialog box that the user has confirmed and it appears that Google no longer displays the warning.

@Override public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) { final AlertDialog.Builder builder = new AlertDialog.Builder(this); String message = "SSL Certificate error."; switch (error.getPrimaryError()) { case SslError.SSL_UNTRUSTED: message = "The certificate authority is not trusted."; break; case SslError.SSL_EXPIRED: message = "The certificate has expired."; break; case SslError.SSL_IDMISMATCH: message = "The certificate Hostname mismatch."; break; case SslError.SSL_NOTYETVALID: message = "The certificate is not yet valid."; break; } message += " Do you want to continue anyway?"; builder.setTitle("SSL Certificate Error"); builder.setMessage(message); builder.setPositiveButton("continue", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { handler.proceed(); } }); builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { handler.cancel(); } }); final AlertDialog dialog = builder.create(); dialog.show(); }

After this change, no warnings will be displayed.

+1
source share

More articles:


All Articles