google-playandroid-securitysslerrorhandler

How to fix the Google Play Warning: SSL Error Handler Vulnerability


I recently publish a production release version app to the google play, and I got a email from Google:

enter image description here

I update my code as Google Support suggest:

class SslErrorHelper {

companion object {
    private val DIGITS_LOWER = charArrayOf('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f')
    fun onSslError(context: Context, sslErrorHandler: SslErrorHandler, error: SslError) {
        // https://support.google.com/faqs/answer/7071387
        LogUtil.log("onSslError --> ${error.primaryError}")
        if (checkCertificate(error.certificate)) {
            sslErrorHandler.proceed()
        } else {
            ToastUtils.getInstance().showToast(context.getString(R.string.ssl_certificate_error))
            sslErrorHandler.cancel()
        }
    }

    /**
     * check the certificate
     */
    private fun checkCertificate(cert: SslCertificate): Boolean {
        val myCertSHA256Str = "SHA256 fingerprint of my server https certificate "
        val bundle = SslCertificate.saveState(cert)
        val bytes = bundle.getByteArray("x509-certificate")
        if (bytes != null) {
            try {
                val factory = CertificateFactory.getInstance("X.509")
                val ca = factory.generateCertificate(ByteArrayInputStream(bytes))
                val sha256 = MessageDigest.getInstance("SHA-256")
                val key = sha256.digest((ca as X509Certificate).encoded)
                val errorCertSHA256 = String(encodeHex(key))
                if (errorCertSHA256 == myCertSHA256Str) {
                    return true
                }

            } catch (e: Exception) {
                e.printStackTrace()
            }
        }
        return false
    }

    private fun encodeHex(data: ByteArray): CharArray {
        return encodeHex(data, DIGITS_LOWER)
    }

    private fun encodeHex(data: ByteArray, toDigits: CharArray): CharArray {
        val l = data.size
        val out = CharArray(l shl 1)
        var i = 0
        var j = 0
        while (i < l) {
            out[j++] = toDigits[0xF0 and data[i].toInt() ushr 4]
            out[j++] = toDigits[0x0F and data[i].toInt()]
            i++
        }
        return out
    }
}

}

I call the onSslError method in my WebClient#onReceivedSslError.

While I re-publish my app to Google play, it still report the Vulnerability of SSL Error Handler. I also try this answer android Google Play Warning: SSL Error Handler Vulnerability , unfortunately, it still no works!!

After that, I try to find which class or lib implements the onReceivedSslError by execute the command find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;, found that the Facebook-login sdk and ShareSdk has implemented it, so I try to remove them from my project.

After all of above, it still report the vulnerability.

Now I'm running out of ideas. Could you someone know about to solve the vulnerability, or maybe you can share your experience here.

Thanks and have a good day!


Solution

  • I change the package name, and then re-publish it. It was passed without any warning.