Google Play Warning: WebViewClient.onReceivedSslError handler

ssl android-security
Vivek Mittal picture Vivek Mittal · Feb 5, 2016 · Viewed 14.3k times · Source

I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript."] ....................

I am using in my code:

    webView.setWebViewClient(new WebViewClient() {

        @Override
        public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {}

        @Override
        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
            handler.proceed();
        }

        @Override
        public boolean shouldOverrideUrlLoading(WebView view, String url) {
            return super.shouldOverrideUrlLoading(view, url);
        }

        @Override
        public void onPageFinished(WebView view, String url) {
            super.onPageFinished(view, url);
            // My code
        }
    });

// My code

webview_ClientPost(webView, "https://secure.payu.in/_payment", mapParams.entrySet());

Why the Google play sending this warning regarding SSL? Is this my code issue or PayUMoney issue?

Answer

Ruben Flores picture Ruben Flores · Jun 15, 2016

I hope is not too late for this.. that warning is about you should notify user is going to a page with invalid cert, you should not proceed it directly.

You can implment an alert dialog something like this:

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

This was taken from sakiM answers in this link: Webview avoid security alert from google play upon implementation of onReceivedSslError

Related questions

android Google Play Warning: SSL Error Handler Vulnerability

I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of …

Read More
Handling certificate errors in Android Webview and clearing the certificate peferences

I am trying to find a proper way to handle SSL certificate errors in the Android Webview. My goal is to provide a way to load pages with SSL certificate errors, but let the user choose to load the page …

Read More
SSL Warning from google play

Got warning from google play. How can i handle "SSL Error Handler Vulnerability" of unsafe implementation of the WebViewClient.onReceivedSslError handler. "Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly …

Read More