WebView: how to avoid security alert from Google Play upon implementation of onReceivedSslError
To properly handle SSL certificate validation, change your code to
invoke SslErrorHandler.proceed() whenever the certificate presented by
the server meets your expectations, and invoke
SslErrorHandler.cancel() otherwise.
As email said, onReceivedSslError
should handle user is going to a page with invalid cert, such like a notify dialog. You should not proceed it directly.
For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
More explain about the email.
Specifically, the implementation ignores all SSL certificate validation
errors, making your app vulnerable to man-in-the-middle attacks.
The email says the default implement ignored an important SSL security problem. So we need to handle it in our own app which used WebView. Notify user with a alert dialog is a simple way.
android Google Play Warning: SSL Error Handler Vulnerability
the solution is to remove onReceivedSslError
.
Related Topics
Importing Google-Play-Service Library Showing a Red X Next to This Reference Android
Android Popup Window Dismissal
Viewpager as a Circular Queue/Wrapping
Android:Loading an Image from the Web with Asynctask
How to Remove Application from App Listings on Android Developer Console
Pass Data from Activity to Service Using an Intent
Huawei, Logcat Not Showing the Log for My App
How to Know an Application Is Installed from Google Play or Side-Load
Alertdialog.Builder with Custom Layout and Edittext; Cannot Access View
Retrieve Incoming Call's Phone Number in Android
How to Create a Circular Progressbar in Android Which Rotates on It
How to Execute Async Task Repeatedly After Fixed Time Intervals
Passing Data Between Fragments to Activity
How to Access Call Log for Android