Google Play Warning: WebViewClient.onReceivedSslError handler

Question

I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript."] ....................

I am using in my code:

    webView.setWebViewClient(new WebViewClient() {

        @Override
        public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {}

        @Override
        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
            handler.proceed();
        }

        @Override
        public boolean shouldOverrideUrlLoading(WebView view, String url) {
            return super.shouldOverrideUrlLoading(view, url);
        }

        @Override
        public void onPageFinished(WebView view, String url) {
            super.onPageFinished(view, url);
            // My code
        }
    });

// My code

webview_ClientPost(webView, "https://secure.payu.in/_payment", mapParams.entrySet());

Why the Google play sending this warning regarding SSL? Is this my code issue or PayUMoney issue?

What was your OS version that triggered this issue ? I am also facing the same issue and people recommend me to do what you have done... I am confused.. — San, Feb 17 '16 at 12:05
It resolved on http://stackoverflow.com/questions/36050741/webview-avoid-security-alert-from-google-play-upon-implementation-of-onreceiveds — SerkanHocam, Jun 29 '16 at 11:17

score 4 · Answer 1 · edited May 23 '17 at 11:45

I hope is not too late for this.. that warning is about you should notify user is going to a page with invalid cert, you should not proceed it directly.

You can implment an alert dialog something like this:

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

This was taken from sakiM answers in this link: Webview avoid security alert from google play upon implementation of onReceivedSslError

Realistically, users won't know whether they should accept an insecure connection or not. The best solution is to just remove the onReceivedSslError method entirely and fallback to the default behavior of rejecting insecure connections. — Antimony, Apr 17 '19 at 21:35

score 2 · Answer 2 · answered Feb 10 '16 at 00:29

2

The problem is in your code. When you call handler.proceed(); like that, it effectively removes all the security from your connection.

You should remove your onReceivedSslError method. The default implementation will reject insecure connections.

answered Feb 10 '16 at 00:29

Antimony

37,781
10
100
107

Did this solution worked for you? I am getting the same alert in my Google Console. – YuDroid Mar 09 '16 at 15:31

Google Play Warning: WebViewClient.onReceivedSslError handler

2 Answers2

Linked