logo标签列表

谷歌应用商店SSL警告

androidsslwebviewgoogle-playandroid-security
13

从Google Play收到了警告。

我该如何处理“WebViewClient.onReceivedSslError处理程序不安全实现”的“SSL错误处理程序漏洞”?

请尽快解决此漏洞并增加升级后的APK版本号。为了正确处理SSL证书验证,请更改您的代码,使其在服务器呈现的证书符合您的期望时调用SslErrorHandler.proceed(),否则调用SslErrorHandler.cancel()。

漏洞的更多信息请参见此处:http://stanford.edu/~pcm2d/blog/ssl.html - Austyn Mahoney
5个回答
9
今天我收到了同样的警告,它告诉我问题来自于我的一个广告网络SDK(InMobi)。考虑到他们有很多欺诈、自动重定向广告,现在又出现这种情况,我真的在考虑放弃他们。如下所示是受影响的类: com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient 如果你的情况也是其中之一,请阅读技术文档并修复你的实现。具体请参考以下链接: documentation 如果像我一样,你只是外部库的受害者,请联系开发人员,让他们提供一个修复好的库(或者放弃该库)。
1
嗨 @Sebastien。我来自InMobi团队。您遇到SSL错误是因为谷歌应用商店的更改需要使用https。只需下载我们的最新SDK,问题就会解决 :) - Sohan
1
我同意这些欺诈性的自动重定向广告。由于InMobi广告,我们收到了很多用户投诉和差评。 - Emanuel Moecklin
3
@Sohan,错误不是由于对Play商店的更改导致的。这会让人觉得这是谷歌的错。你的SDK存在严重漏洞,可以进行中间人攻击,谷歌只是向开发人员提醒了该问题。 - Austyn Mahoney
3

您应该先检查是否正确使用了WebViewClient.onReceivedSslError处理程序。

如果您没有使用WebViewClient库或者已经正确使用它,那么问题可能来自第三方库。您可以首先在项目的根目录中使用以下Linux命令来确定哪些库可能负责这个问题:

find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;

这将列出所有jar文件中包含"OnReceivedSslError"字符串的文件。
然后,您可以检查每个匹配文件是否符合处理漏洞的谷歌建议。
2
如果您不需要在onReceivedSslErr(WebView,SslErrorHandler,SslError)中处理事情,只需删除此方法以避免Google Play的警告。否则,您也不应直接进行操作。 以下是@sakiM提供的示例:Webview avoid security alert from google play upon implementation of onReceivedSslError 
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

如果第三方库已经调用了 onReceivedSslErr 方法,只需联系提供者。
0

你好,这里是解决你问题的最新方案。希望能帮到有需要的人:

//复制粘贴以下代码并删除onReceivedError()方法。

 /**
             * Notify the host application that an SSL error occurred while loading a
             * resource. The host application must call either handler.cancel() or
             * handler.proceed(). Note that the decision may be retained for use in
             * response to future SSL errors. The default behavior is to cancel the
             * load.
             *
             * @param view    The WebView that is initiating the callback.
             * @param handler An SslErrorHandler object that will handle the user's
             *                response.
             * @param error   The SSL error object.
             */
            @Override
            public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
                //final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
                String msg="";
                if(error.getPrimaryError()==SslError.SSL_DATE_INVALID
                        || error.getPrimaryError()== SslError.SSL_EXPIRED
                        || error.getPrimaryError()== SslError.SSL_IDMISMATCH
                        || error.getPrimaryError()== SslError.SSL_INVALID
                        || error.getPrimaryError()== SslError.SSL_NOTYETVALID
                        || error.getPrimaryError()==SslError.SSL_UNTRUSTED) {
                    if(error.getPrimaryError()==SslError.SSL_DATE_INVALID){
                        msg="The date of the certificate is invalid";
                    }else if(error.getPrimaryError()==SslError.SSL_INVALID){
                        msg="A generic error occurred";
                    }
                    else if(error.getPrimaryError()== SslError.SSL_EXPIRED){
                        msg="The certificate has expired";
                    }else if(error.getPrimaryError()== SslError.SSL_IDMISMATCH){
                        msg="Hostname mismatch";
                    }
                    else if(error.getPrimaryError()== SslError.SSL_NOTYETVALID){
                        msg="The certificate is not yet valid";
                    }
                    else if(error.getPrimaryError()==SslError.SSL_UNTRUSTED){
                        msg="The certificate authority is not trusted";
                    }
                }
                final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
                builder.setMessage(msg);
                builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
                    @Override
                    public void onClick(DialogInterface dialog, int which) {
                        handler.proceed();
                    }
                });
                builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
                    @Override
                    public void onClick(DialogInterface dialog, int which) {
                        handler.cancel();
                    }
                });
                final AlertDialog dialog = builder.create();
                dialog.show();

            }
-6

这可能是由于您的应用程序中使用的第三方库,包括 OpenSSL,导致的。在我的情况下发生了这种情况。该库在 Google Play 的警报中提到。我使用了以下 grep 命令,并包含了该库。

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

如果由于OpenSSL库的问题,此命令将显示一个冗长的日志。

+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
CAMELLIA part of OpenSSL 1.0.1h 5 Jun 2014
EDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
RC4 part of OpenSSL 1.0.1h 5 Jun 2014
:Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
%s(%d): OpenSSL internal error, assertion failed: %s
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
OpenSSL default
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014

尝试对另一个apk运行相同的命令,不包含那个库。它将只显示类似以下的两行内容。
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
1
警报提到了一个不安全的onReceivedSslError实现。这与OpenSSL无关。 - Antimony
我确认 @Antimony 的评论。 - Stéphane
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接