logo标签列表

应用被谷歌应用商店拒绝

androidssl
4
我正在开发一个包含社交网络登录的Android应用程序。在解决此问题后,我删除了包含“WebViewClient.onReceivedSslError”的类。但是在上传应用程序到Google Play商店后,它被拒绝并显示以下错误:“如何在应用程序中处理WebView SSL错误处理程序警报。”我还在后台使用该类来发送电子邮件而无需意图,这需要使用“SSL”和“TrustManagerFactory.X509”。这是驳回的原因吗?如果这是拒绝的原因,那么我可能会得到其他错误,例如“由于X509TrustManager的不安全实现,Google Play商店拒绝了应用程序”。寻求支持。先感谢您。
这是我从Google Play收到的消息:
你好,Google Play开发者,
我们因违反恶意行为或用户数据政策而拒绝了具有软件漏洞的VISApp,包名为com.avonmobility.visapp。如果您提交了更新,则您的应用程序以前的版本仍可在Google Play上获得。
该应用程序使用包含用户数据安全漏洞的软件,或允许未经适当披露收集用户数据。
以下是最近提交的问题和相应的APK版本列表。请尽快升级您的应用程序并增加已升级APK的版本号。
漏洞 APK版本 SSL错误处理程序 有关如何解决WebView SSL错误处理程序警报的更多信息,请参见此Google帮助中心文章。
15
为确认您已正确进行升级,请将更新后的应用程序版本提交到开发者控制台,并在五小时后返回检查以确保警告已消除。
尽管这些漏洞可能不会影响使用此软件的每个应用程序,但最好始终保持所有安全补丁的最新状态。请确保更新应用程序中具有已知安全问题的任何库,即使您不确定问题是否与您的应用程序相关。
应用程序还必须符合开发者分发协议和开发者计划政策。
如果您认为我们做出了错误的决定,请与我们的开发者支持团队联系。
最好,
Google Play团队
你是否在使用没有有效SSL证书的后端(服务器端)?如果没有,那么我猜测你正在使用X509TrustManager来忽略无效的SSL证书错误。这是谷歌不接受的。因此,我建议你为你的服务器端获取一个有效的SSL证书。 - Akhil Soman
@AkhilSoman 你好Akhil,谢谢回复。我也有同感,但是我不知道如何实现它。你能指导我吗? - Raja45
我问了我的一个朋友,他给了我这个链接:http://www.howto-expert.com/how-to-get-https-setting-up-ssl-on-your-website/。 - Akhil Soman
可能是Google Play错误:SSL错误处理程序漏洞和应用更新被拒绝的重复问题。 - Jeremy
3个回答
1

解决Google Play警告:WebViewClient.onReceivedSslError处理程序

并不总是强制使用handler.proceed();,但您还必须包括handler.cancel();,以便用户可以避免加载不安全的内容。

处理WebViewClient.onReceivedSslError处理程序的不安全实现

请使用以下代码

 webView.setWebViewClient(new SSLTolerentWebViewClient());
 webView.loadUrl(myhttps url);

Than 

 private class SSLTolerentWebViewClient extends WebViewClient {
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {

    AlertDialog.Builder builder = new AlertDialog.Builder(Tab1Activity.this);
    AlertDialog alertDialog = builder.create();
    String message = "SSL Certificate error.";
    switch (error.getPrimaryError()) {
        case SslError.SSL_UNTRUSTED:
            message = "The certificate authority is not trusted.";
            break;
        case SslError.SSL_EXPIRED:
            message = "The certificate has expired.";
            break;
        case SslError.SSL_IDMISMATCH:
            message = "The certificate Hostname mismatch.";
            break;
        case SslError.SSL_NOTYETVALID:
            message = "The certificate is not yet valid.";
            break;
    }

    message += " Do you want to continue anyway?";
    alertDialog.setTitle("SSL Certificate Error");
    alertDialog.setMessage(message);
    alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            // Ignore SSL certificate errors
            handler.proceed();
        }
    });

    alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {

            handler.cancel();
        }
    });
    alertDialog.show();
}
}

您需要提醒用户使用 SSL,这样Google才允许您的应用程序进行此操作。

嗨Ajay,谢谢回复。我在我的代码中没有使用Webview。但我不知道为什么会发生这种情况。可能还有其他原因吗?伙计。 - Raja45
1
I also had SSLCertification issue at the time uploading singed apk.
you have to return true for all your trusted http hosts including 3rd party libraries http.

这里我分享一下我解决这个问题的方法,由于安全原因,我没有放出链接的原始路径,这些 Link 帮助了我。

     TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            X509Certificate[] myTrustedAnchors = new X509Certificate[0];
            return myTrustedAnchors;
        }

        @Override
        public void checkClientTrusted(X509Certificate[] certs, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] certs, String authType) {
        }
      }};
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession arg1) {
                if (hostname.equalsIgnoreCase("demo.mysite.com") ||
                        hostname.equalsIgnoreCase("prod.mysite.com") ||
                        hostname.equalsIgnoreCase("22.2.202.22:3333") ||
                        hostname.equalsIgnoreCase("cloud.cloudDeveSite.net") ||                            
                        hostname.equalsIgnoreCase("11.2.222.22:2222") ||
                        hostname.equalsIgnoreCase("multispidr.3rdPartyLibrary.io")) {
                    return true;
                } else {
                    return false;
                }
            }
        });

提到了所有存在SSLCertification问题的API,您还需要提到第三方API,当您运行该代码时,您将在错误中获得这些HTTP链接。
0

我也遇到了同样的问题,你可以在你的项目中创建一个类来解决它。

                  import org.apache.http.HttpVersion;
       import org.apache.http.conn.ClientConnectionManager;
        import org.apache.http.conn.scheme.PlainSocketFactory;
        import org.apache.http.conn.scheme.Scheme;
       import org.apache.http.conn.scheme.SchemeRegistry;
     import org.apache.http.conn.ssl.SSLSocketFactory;
    import org.apache.http.impl.client.DefaultHttpClient;
        import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
      import org.apache.http.params.BasicHttpParams;
                                import org.apache.http.params.HttpParams;
    import org.apache.http.params.HttpProtocolParams;
       import org.apache.http.protocol.HTTP;

          import java.io.BufferedInputStream;
     import java.io.IOException;
      import java.io.InputStream;
     import java.net.Socket;
     import java.security.KeyManagementException;
     import java.security.KeyStore;
   import java.security.KeyStoreException;
   import java.security.NoSuchAlgorithmException;
   import java.security.UnrecoverableKeyException;
     import java.security.cert.Certificate;
       import java.security.cert.CertificateException;
     import java.security.cert.CertificateFactory;
       import java.security.cert.X509Certificate;

        import javax.net.ssl.HttpsURLConnection;
         import javax.net.ssl.SSLContext;
     import javax.net.ssl.TrustManager;
     import javax.net.ssl.X509TrustManager;


       public class MySSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");


public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    super(truststore);

    X509TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    sslContext.init(null, new TrustManager[]{tm}, null);
}

@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
    return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}

@Override
public Socket createSocket() throws IOException {
    return sslContext.getSocketFactory().createSocket();
}

/**
 * Makes HttpsURLConnection trusts a set of certificates specified by the KeyStore
 */
public void fixHttpsURLConnection() {
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
}

/**
 * Gets a KeyStore containing the Certificate
 *
 * @param cert InputStream of the Certificate
 * @return KeyStore
 */
public static KeyStore getKeystoreOfCA(InputStream cert) {

    // Load CAs from an InputStream
    InputStream caInput = null;
    Certificate ca = null;
    try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        caInput = new BufferedInputStream(cert);
        ca = cf.generateCertificate(caInput);
    } catch (CertificateException e1) {
        e1.printStackTrace();
    } finally {
        try {
            if (caInput != null) {
                caInput.close();
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    // Create a KeyStore containing our trusted CAs
    String keyStoreType = KeyStore.getDefaultType();
    KeyStore keyStore = null;
    try {
        keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);
    } catch (Exception e) {
        e.printStackTrace();
    }
    return keyStore;
}

/**
 * Gets a Default KeyStore
 *
 * @return KeyStore
 */
public static KeyStore getKeystore() {
    KeyStore trustStore = null;
    try {
        trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null, null);
    } catch (Throwable t) {
        t.printStackTrace();
    }
    return trustStore;
}

/**
 * Returns a SSlSocketFactory which trusts all certificates
 *
 * @return SSLSocketFactory
 */
public static SSLSocketFactory getFixedSocketFactory() {
    SSLSocketFactory socketFactory;
    try {
        socketFactory = new MySSLSocketFactory(getKeystore());
        socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    } catch (Throwable t) {
        t.printStackTrace();
        socketFactory = SSLSocketFactory.getSocketFactory();
    }
    return socketFactory;
}

/**
 * Gets a DefaultHttpClient which trusts a set of certificates specified by the KeyStore
 *
 * @param keyStore custom provided KeyStore instance
 * @return DefaultHttpClient
 */
public static DefaultHttpClient getNewHttpClient(KeyStore keyStore) {

    try {
        SSLSocketFactory sf = new MySSLSocketFactory(keyStore);
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        registry.register(new Scheme("https", sf, 443));

        HttpParams params = new BasicHttpParams();
        HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
        HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);

        ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);

        return new DefaultHttpClient(ccm, params);
    } catch (Exception e) {
        return new DefaultHttpClient();
    }
}

}

你好,谢谢你的回复。请问你能否解释一下在哪里使用并调用它吗? - Raja45
只需创建一个新类。 - android_jain
在谷歌上搜索,你会发现我是在发送JSON时进行调用的。 - android_jain
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接