Google Play security alert for insecure TrustManager
在我的一个应用程序中,我使用具有自签名证书的HTTPS,并遵循了android开发人员培训网站(https://developer.android.com/training/articles/security-ssl.html#UnknownCa)的示例代码 。
我最近收到以下警报,说当前的实现不安全:
Security alert
Your app is using an unsafe implementation of the
X509TrustManager interface with an Apache HTTP client, resulting in a
security vulnerability. Please see this Google Help Center article for
details, including the deadline for fixing the vulnerability.
除了上面链接的示例代码之外,有人可以提供更多有关应更新内容的详细信息吗?
我应该实现自定义
尝试在代码中搜索" TrustManager",如果找不到,则多数情况是由于包含第三方库。
对我而言,这是因为使用了旧版本的ACRA(https://github.com/ACRA/acra)。
可能已经晚了,但是希望它能对某人有所帮助,在请求服务器之前调用此方法。如果证书不信任,则您具有工具对话框或其他使用户可以决定的内容,这里我使用警报对话框。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){ try { HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, new X509TrustManager[]{new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { chain[0].checkValidity(); } catch (final Exception e) { mActivity.runOnUiThread(new Runnable() { @Override public void run() { AlertDialog.Builder builder = new AlertDialog.Builder(mActivity); AlertDialog alertDialog = builder.create(); alertDialog.setCancelable(false); String message ="There a problem with the security certificate for this web site."; message +="\ Do you want to continue anyway?"; alertDialog.setTitle("SSL Certificate Error"); alertDialog.setMessage(message); alertDialog.setButton(DialogInterface.BUTTON_POSITIVE,"OK", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { acceptSSL = true; return; } }); alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE,"Cancel", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { acceptSSL = true; task.onInterruptedDownload(); } }); alertDialog.show(); } }); while( !acceptSSL){ try{ Thread.sleep(1000); } catch( InterruptedException er) { } } } } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }}, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory()); } catch (Exception e) { // should never happen e.printStackTrace(); } } |
对我来说,问题是Mobilecore。我已经从应用中删除了该库,并上传了新版本的APK,并且警告已从GPlay开发者控制台中消失。
我还确定了ARCA 4.3可能是我的应用程序的罪魁祸首。
问题,有人知道要确认问题已解决吗?目前,我可以访问的Play商店并未导致Google向我发出警告,但已发布该应用的我们的合作伙伴之一已收到该警告。在向我们的合作伙伴提供新的APK之前,我想验证问题是否已解决。