SSL Warning from google play

Question

Got warning from google play.

How can i handle "SSL Error Handler Vulnerability" of unsafe implementation of the WebViewClient.onReceivedSslError handler.

"Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise."

Answer 1

I have received the same warning today, and it informs me that the issue comes from the SDK of one of my ad networks (InMobi, I'm really considering dropping them as they have a lot of fraudulent, auto-redirect banners, and now this...):

com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient

What is the affected class in your case? If it is one of your own classes, you'll have to read the technical documentation and fix your implementation.

If, like me, you are just the victim of one of your external libraries, contact the developers to ask them to provide a fixed library (or drop the library).

Answer 2

You should first check that you use the WebViewClient.onReceivedSslError handler properly.

If you're not using the WebViewClient library or if you're already using it properly, the problem is probably coming from a third party library. You could first use this linux command in the root directory of your project to identify which libraries could be responsible for the problem:

find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;

This will list the files inside all your jar files having the "OnReceivedSslError" string.

After that, you may check if the Google recommandations to handle the vulnerability are respected in each matched file.