Google Play Warning: SSL Error Handler Vulnerability

[vplacinta]

I have received the following message from Google: Hello Google Play Developer, In July, the app submissions listed at the end of this email were rejected due to an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. This implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript. What’s happening We’re extending the time provided to fix your apps. Starting November 25, 2016, Google Play will block publishing of any new apps that contain this vulnerability. Your published APK version will remain unaffected, but any new apps or updates after this date will be rejected unless you address the vulnerability. Action Required • To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. • If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue. • After making changes, sign in to your Developer Console and submit the updated version of your app. • Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. We’re here to help If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team. Regards, The Google Play Team

The Vulnerable class is: com.microsoft.services.msa.AuthorizationRequest$OAuthDialog$AuthorizationWebViewClient

Could you help out with this issue?

[peternied]

@vplacinta Thank you for contacting us. This library does not contain any implementation of WebViewClient.onReceivedSslErrorHandler method, it uses the default implementation from Android. I have created a question in stack overflow per the directions. When this is updated we circle back to this issue.

[peternied]

@vplacinta please contact me offline at pnied AT microsoft DOT com there is some more information we need to look into this issue.

[nangonghuang]

has this issuses been fixed in 0.8.6 ?I meet this problem,too. and i checked the code find that "onReceivedSslError" method in "AuthorizationRequest" has been removed compared to 0.8.1 ,but this issues still keeps open. I'm using outlook-sdk,which uses orc-for-android,and it used old version of this,"0.8.0"

[peternied]

@nangonghuang you can remove the loading of the older version via disabling transitive dependencies or exclusion of the module loading. Here is a search to get you started, https://www.bing.com/search?q=gradle+transitive+dependency

[phuongtnm-vns]

I got the same message from Google.

I can see in the class AutorizationRequest.java these is an implementation

@Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // TODO: Android does not like the SSL certificate we use, because it has '*' in // it. Proceed with the errors. handler.proceed(); } which google doesn't expected. I am using version compile('com.microsoft.services:outlook-services:2.1.0').

Do we have any other version which resolved this issue or any way to fix it?

Thank you, Nguyen

[peternied]

Note: you should use Microsoft Graph SDK for Android to communicate with Microsoft Services such as Outlook.

@phuongtnm-vns you need to remove the transitive dependency mapping and include a reference to this library, which could look something like

    // Include an example sdk as a dependency
    compile('com.microsoft.graph:msgraph-sdk-android:1.2.+')
        transitive = false
    }

    // Include this library, pulling in the latest version
    compile ('com.microsoft.services.msa:msa-auth:0.8.+')