How to fix the Google Play Warning: SSL Error Handler Vulnerability
I recently publish a production release version app to the google play, and I got a email from Google:
I update my code as Google Support suggest:
class SslErrorHelper {
companion object {
private val DIGITS_LOWER = charArrayOf('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f')
fun onSslError(context: Context, sslErrorHandler: SslErrorHandler, error: SslError) {
// https://support.google.com/faqs/answer/7071387
LogUtil.log("onSslError --> ${error.primaryError}")
if (checkCertificate(error.certificate)) {
sslErrorHandler.proceed()
} else {
ToastUtils.getInstance().showToast(context.getString(R.string.ssl_certificate_error))
sslErrorHandler.cancel()
}
}
/**
* check the certificate
*/
private fun checkCertificate(cert: SslCertificate): Boolean {
val myCertSHA256Str = "SHA256 fingerprint of my server https certificate "
val bundle = SslCertificate.saveState(cert)
val bytes = bundle.getByteArray("x509-certificate")
if (bytes != null) {
try {
val factory = CertificateFactory.getInstance("X.509")
val ca = factory.generateCertificate(ByteArrayInputStream(bytes))
val sha256 = MessageDigest.getInstance("SHA-256")
val key = sha256.digest((ca as X509Certificate).encoded)
val errorCertSHA256 = String(encodeHex(key))
if (errorCertSHA256 == myCertSHA256Str) {
return true
}
} catch (e: Exception) {
e.printStackTrace()
}
}
return false
}
private fun encodeHex(data: ByteArray): CharArray {
return encodeHex(data, DIGITS_LOWER)
}
private fun encodeHex(data: ByteArray, toDigits: CharArray): CharArray {
val l = data.size
val out = CharArray(l shl 1)
var i = 0
var j = 0
while (i < l) {
out[j++] = toDigits[0xF0 and data[i].toInt() ushr 4]
out[j++] = toDigits[0x0F and data[i].toInt()]
i++
}
return out
}
}
}
I call the onSslError method in my WebClient#onReceivedSslError.
While I re-publish my app to Google play, it still report the Vulnerability of SSL Error Handler. I also try this answer android Google Play Warning: SSL Error Handler Vulnerability , unfortunately, it still no works!!
After that, I try to find which class or lib implements the onReceivedSslError by execute the command find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;, found that the Facebook-login sdk and ShareSdk has implemented it, so I try to remove them from my project.
After all of above, it still report the vulnerability.
Now I'm running out of ideas. Could you someone know about to solve the vulnerability, or maybe you can share your experience here.
Thanks and have a good day!
I change the package name, and then re-publish it. It was passed without any warning.
- You can't submit updates as some information about your app is incomplete (Google Play)
- Playstore error: App Bundle contains native code, and you've not uploaded debug symbols
- Ad content rating for different types of apps
- You uploaded an APK that was signed in debug mode. You need to sign your APK in release mode error
- Can't find the option to change privacy policy for Android app already on play store
- The app crashes during the SMS auto-verify call on Android 14 when I change the targetSdkVersion to 34
- Google Play Store says "your device isn't compatible with this version"
- How to open the Google Play Store directly from my Android application?
- Error publishing in Google Play: The version 1 code has already been used. Try another code
- Google Closed Testing
- Google Play Alpha: App not available for this account
- Play Console - Advertising ID declaration
- change from 4 digit version in play store to 3
- Google Play Store rejecting updated flutter app bundle because off adding SMS and Call Log Permissions
- "All uploaded bundles must be signed." error while uploading app bundle to the internal testing release (and other releases) Android Play Console
- In Android Market , how frequently developers can/should update their apk files?
- Rejected app No full-size app banner for Android TV on Google Play
- How can we install/Push the Android application over proprietary Wifi Network?
- How remove an update of published application in Google Play Console
- Why I'm getting URI not registered in jetified-play-services-ads-lite?
- Is there an official API for the Google Play Store app?
- Implement PlayGameServices snapshots on MAUI game
- Google Play store: Discount for in app purchases
- Can't unpublished app from play store
- How to figure out why an Android device is not compatible with an APK
- “You cannot install this app because another user has already installed an incompatible version on this device", other posts didn't work for me
- Version code 1 has already been used. Try another version code
- Will Expo File System Reset when Having an Update from Play Store?
- Google play closed test for 20 testers requirements
- How to create aab (bundle) via Fastlane?