Rejected on Google Play with error - WebView SSL Error Handler vulnerability

[goneale]

Received this error and my APK update was denied on the play store:

This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.

Vulnerability APK Version(s) SSL Error Handler For more information on how to address WebView SSL Error Handler alerts, please see this Google Help Center article.

Please advise as soon as possible as it's preventing my go live deployment, thanks

[guperrot]

Hi @goneale,

The underlying Android SDK wrapped into unity does not override the WebViewClient. onReceivedSslError and the default behavior of that method is to cancel which is safe.

Are you sure the issue is caused by this sdk? No other mobile engagement customer has got his app rejected so far.

Can you look for onReceivedSslError method usages in your app?

If you have other third party libraries (especially ad ones), look for the jar files and run this command:

find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;

If some of the libs you use are aar files, first unzip the classes.jar that is inside and then run the command above inside the directory where you extracted the classes.jar files.

If any of the jar files from a third party return a result in find, then you can contact their support.

If you can share an APK file I can also scan on my side.

[goneale]

Hi @guperrot, I come from a Unity and C# background with limited java exeprience, so forgive me, but running the below command yielded 0 results.

Grahams-MBP:unity-rework goneale$ find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;
Grahams-MBP:unity-rework goneale$ 

Just returned nothing, find . however returned a lot of files.

As for searching for .aar's these are the only references I have for them when searching on my same repository on my windows machine - http://screencloud.net/v/F2G6.

I don't believe it could be any other component as the updated APK should have only contained the Azure Engagement Plugin work as I wished to support notifications in my game. As soon as I read that message from Google, I did immediately think of the WebView you guys have available to display when creating non-simple notifications from the Engagement Portal (provision for url, title, text contents, buttons).

I will keep looking through other code that may have been added, but I certainly didn't add a webview so it's a strange error to receive.

[guperrot]

Hi again @goneale

• Can you share the APK you try to publish? I'd like to double check the dependencies. SSL errors are properly handled by default and I don't see what we could do to change that. We don't override the method and by default it refuses unsafe connections, I double checked that.

• Do you plan to use the web view for such web announcements? We could try to remove the class from the jar if you don't plan to use that feature.

• Can you ask google support why they think ssl errors are not properly handled and which class triggered that validation error?

[guperrot]

Can you also share that particular unityads-release.aar file that I see from the screenshot before you update any dependency?

[iamclement]

@goneale Anything new on this based on @guperrot answers? It appears that the UnityAds library is also using WebViews but the latest version at least seems fine regarding this issue (not overriding onReceivedSslError).

[iamclement]

Too old, no answer, closing.