如题,提交应用的时候,google 给回了一封邮件: 大致内容如下:
Hello Google Play Developer,
We reviewed xxx, with package name xxxx, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.
SSL Error Handler For more information on how to address WebView SSL Error Handler alerts, please see this Google Help Center article.
我按照Google Help Center article 这个地址处理了我 onReceivedSslError
方法,跟服务器要了 https 证书的 sha256 指纹,然后比对错误证书的指纹是否和服务器的指纹一直,如果一直才去sslErrorHandler.proceed()
否则 sslErrorHandler.cancel()
。
提交之后,还是收到邮件反馈说是 ssl error handler,我也试了这里的方法stackoverflow 当出现错误的时候,弹出对话框询问用户是否继续访问,让用户决定,但是也没有用。
不知道 v 站的各位大佬有没有遇到这种情况。
1
Jirajine 2021-04-22 10:50:57 +08:00 via Android
Applications are advised not to prompt the user about SSL errors, as the user is unlikely to be able to make an informed security decision and WebView does not provide any UI for showing the details of the error in a meaningful way.
Application overrides of this method may display custom error pages or silently log issues, but it is strongly recommended to always call SslErrorHandler#cancel and never allow proceeding past errors. 没有强制要求 ssl pinning,验证服务器证书不是必要的。这个要求的本意是避免证书错误时仍然连接导致数据被窃取,而不是防止用户主动加证书抓包。 所以按他的要求只要收到错误直接取消就完事了,顺便打个 log 和 toast,弹窗询问应该也是允许的。 |
2
DeweyReed 2021-04-22 11:04:51 +08:00
反编译自己的应用,查找对应接口。
通常是第三方 SDK 导致的,比如说老版本的友盟统计。 |
3
NathanDo 2021-04-22 13:24:29 +08:00
最近也是碰到类似的问题,有个设备通过 https 接口调用,在 web,iOS 甚至 Android 的 Chrome 上都可以,唯独在 Webview 里过不去,报 ssLError...
|
6
naiyu OP @DeweyReed 用这个命令 `find . -name '*.jar' -exec zipgrep -i WebViewClient {} \; ` 找到几个使用 weibview 的第三方库,暂时移除测试提交,也还是报这个 ssl error handler
|
8
zeroman 2021-05-04 01:17:39 +08:00 via Android
要弹窗提示,给用户选择执行 proceed
|