Android unsafe implementation of WebViewClient.onReceivedSslError handler

Question

We are using WebView to load paytm payment pages in our app. In this process we faced Ssl certificate error. To handle this we added SslErrorHandler.proceed() in our code. Everything is working fine. I tried publishing this apk to store, but the app got rejected mentioning

unsafe implementation of WebViewClient.onReceivedSslError handler

Here is my code

    fcweb.getSettings().setJavaScriptEnabled(true);
    fcweb.getSettings().setDomStorageEnabled(true);
    fcweb.setLongClickable(false);
    fcweb.setHapticFeedbackEnabled(false);
    CookieManager.getInstance().setAcceptCookie(true);
    fcweb.setWebViewClient(new WebViewClient(){

        @Override
        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
            handler.proceed(); // Ignore SSL certificate errors
            L.d("SSL Error received");

        }

    });

Note: I dont want to show any alert dialog regarding the error. What should I do to resolve this?

Possible duplicate of [Webview avoid security alert from google play upon implementation of onReceivedSslError](http://stackoverflow.com/questions/36050741/webview-avoid-security-alert-from-google-play-upon-implementation-of-onreceiveds) — Shubham Shukla, Jan 20 '17 at 11:20
@ShubhamShukla Thanks for your response. I saw this link, but Showing an alert dialog will create a bad impact. Users will not proceed if they see such warnings. — Suresh Kumar, Jan 20 '17 at 11:22
But it is necessary so that you are not exposing user to various risks — Shubham Shukla, Jan 20 '17 at 11:24

Shubham Shukla · Answer 1 · 2017-01-20T11:30:32.500

0

Not Always force to handler.proceed(); but you have to also include handler.cancel(); so user can avoid unsafe content from loading.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

    @Override 
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override 
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        } 
    }); 
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override 
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        } 
    }); 
    final AlertDialog dialog = builder.create();
    dialog.show();
}

edited Jan 20 '17 at 11:30

answered Jan 20 '17 at 11:22

Shubham Shukla

988
2
13
28

Showing such alerts will create a bad impact on user experience. If user see alerts like security error, probably they wont proceed further. – Suresh Kumar Jan 20 '17 at 11:25
see my comment on question – Shubham Shukla Jan 20 '17 at 11:25
I don't think its good idea, but will it resolve the warning while publishing the app? – Suresh Kumar Jan 20 '17 at 11:28
@SureshKumar yes sir – Shubham Shukla Jan 20 '17 at 11:29
Will it accept if I check this using sslerror.getCertificate().getIssuedTo().getCName()? if this name equals some specific name handler.proceed() else handler.cancel(). – Suresh Kumar Jan 20 '17 at 11:48

Android unsafe implementation of WebViewClient.onReceivedSslError handler

1 Answers1