search

bams1 / support-tools

Automatically exported from code.google.com/p/support-tools
Apache License 2.0
0 stars 0 forks source link

Security alert #177

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
With the planned upgrade applications received such a letter
Security alert Your application has an unsafe implementation of the 
WebViewClient.onReceivedSslError handler. Specifically, the implementation 
ignores all SSL certificate validation errors, making your app vulnerable to 
man-in-the-middle attacks. An attacker could change the affected WebView's 
content, read transmitted data (such as login credentials), and execute code 
inside the app using JavaScript. To properly handle SSL certificate validation, 
change your code to invoke SslErrorHandler.proceed() whenever the certificate 
presented by the server meets your expectations, and invoke 
SslErrorHandler.cancel() otherwise. An email alert containing the affected 
app(s) and class(es) has been sent to your developer account address. Please 
address this vulnerability as soon as possible and increment the version number 
of the upgraded APK. For more information about the SSL error handler, please 
see our documentation in the Developer Help Center. For other technical 
questions, you can post to https://www.stackoverflow.com/questions and use the 
tags “android-security” and “SslErrorHandler.” If you are using a 3rd 
party library that’s responsible for this, please notify the 3rd party and 
work with them to address the issue. To confirm that you've upgraded correctly, 
upload the updated version to the Developer Console and check back after five 
hours. If the app hasn't been correctly upgraded, we will display a warning. 
Please note, while these specific issues may not affect every app that uses 
WebView SSL, it's best to stay up to date on all security patches. Apps with 
vulnerabilities that expose users to risk of compromise may be considered 
dangerous products in violation of the Content Policy and section 4.4 of the 
Developer Distribution Agreement. Please ensure all apps published are 
compliant with the Developer Distribution Agreement and Content Policy. If you 
have questions or concerns, please contact our support team through the Google 
Play Developer Help Center. Affects APK version 20.

What do we do, how to fix the problem.
Just as we can verify that the problem is solved, repeat the publication? Does 
our application block while?

Original issue reported on code.google.com by moskale...@woxapp.com on 10 Feb 2016 at 3:24

GoogleCodeExporter commented 8 years ago

Original comment by chrsm...@google.com on 10 Feb 2016 at 3:48