8

I am trying to understand and fix why is my App rejected I know it's about SSL, but I can't seem to find which dependency is causing it. I am using the next setup:

  1. Android N (24)
  2. Fabric.
  3. MixPanel.
  4. Quickblox.
  5. Crashlytics
  6. Analytics.

Any help would be appreciated.

Update : This is from the alerts Section

Security alert

Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. An email alert containing the affected app(s) and class(es) has been sent to your developer account address. Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. For more information about the SSL error handler, please see our documentation in the Developer Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.” If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue. To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. If the app hasn't been correctly upgraded, we will display a warning. Please note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement. Please ensure all apps published are compliant with the Developer Distribution Agreement and Developer Program Policies. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center. Affects APK version 2.

Community
  • 1
  • 1
Itzik Samara
  • 2,201
  • 1
  • 11
  • 18
  • Are you receiving the "Your app is using an unsafe implementation of X509TrustManager [...]" message? If so, I'll post a fix. If not, please indicate what message you received as the reason your app was rejected. – thomaspsk Jul 10 '16 at 18:25
  • Normally you would want to go step by step into this by removing dependencies then adding them back one at a time to make sure you catch the root of the problem – Eenvincible Jul 10 '16 at 18:31
  • 1
    give a look at http://stackoverflow.com/questions/36050741/webview-avoid-security-alert-from-google-play-upon-implementation-of-onreceiveds – StarsSky Jul 10 '16 at 18:32
  • Saw this answer, since its somewhere inside the third parties libs i cant really do nothing.. and i know i need to remove each lib and see which one is causing it, i just didnt want to get there yet and thought there was a simple solution for it :( – Itzik Samara Jul 10 '16 at 18:33
  • If you are not using a `WebViewClient` in your own code, this problem must be coming from one of your dependencies. Start by ensuring that you are on the latest versions of those dependencies. Perhaps this problem has been fixed in a newer version than the one you are using. – CommonsWare Jul 10 '16 at 18:45

2 Answers2

1

You need to update Your webViewClient handler as described below. If in your application you have not used webview with onReceivedSslError() then check for you used SDKs latest version to get updated version according to Google's new Security policy.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning.

Anant Shah
  • 3,069
  • 27
  • 46
1

The Problem was BackEndless after update version fixed it.

Itzik Samara
  • 2,201
  • 1
  • 11
  • 18