I have received this alert after publishing my app on google pay
Security alert
Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.
To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. An email alert containing the affected app(s) and class(es) has been sent to your developer account address.
Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. For more information about the SSL error handler, please see our documentation in the Developer Help Center. For other technical questions, you can post to
https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.” If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. If the app hasn't been correctly upgraded, we will display a warning.
Please note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Please ensure all apps published are compliant with the Developer Distribution Agreement and Content Policy. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center.
im using SDK 5.2.2
in my controller
$.winHome.addEventListener('load',function(e) {
if(fb.loggedin()){
fb.getUserData(function(data){
$.winHome.evalJS("init("+JSON.stringify(data)+");");
});
}
});
in my html file
Ti.App.fireEvent('mapListener',{op:'view',id:rId});
Hello, Thanks for reporting. The issue seems to be related to implementation of web view. Please share with us code snippet where you use web view. Also please share the implementation of event listener of the web view. If you are using any other Appcelerator module or third party modules please let us know. Thanks in advance
updated the description with content controller and html file in my controller
$.winHome.addEventListener('load',function(e) { if(fb.loggedin()){ fb.getUserData(function(data){ $.winHome.evalJS("init("+JSON.stringify(data)+");"); }); } });Ti.App.fireEvent('mapListener',{op:'view',id:rId});Hi, Please let us know if you used "sslerror" event listener. Also please let us know if you used any module in your project. If you can provide test code and steps to reproduce it will be possible for us to test the problem. Thanks
im not using sslerror event listener, and my webview contain only *one local html page* "index.html" the example above, it's a part of my apps and can't give you the hole program, but i can say that i don't have nothing special, nothing !!! my controller send facebookdata to html view, and my html when we click to a button send the id to the controller. no extrenal html page no extrenal js file im using - module facebook existing in SDK - module AdMob for iOS and Android (maybe this module create issue, i pruchased it from https://marketplace.appcelerator.com/apps/33910 - module inappbilling from appcelerator-modules github that's all
Hello, Please create a sample project with only the webview component and the related functions. Don't use any other module in the app. See if the app published successfully in the playstore. It will be helpfull to investigate and pin point the issue if you try reducing the app into different sections and try inplementing the sections one by one. Also, if you were able to figure out the section that is having problem. Please send the project to us for further investigation. Regards, Sharif
[~shossain] I think this issue is very much like TIMOB-20431 and it doesn't matter what APIs you actually use or not. There's seems to be something wrong with the implementation here: https://github.com/appcelerator/titanium_mobile/blob/86f2fcdff190c4134db75024a97cc9395dd8869f/android/modules/ui/src/java/ti/modules/titanium/ui/widget/webview/TiWebViewClient.java#L182 Also reported on SO: http://stackoverflow.com/q/37377387/4626813
Hello, Any update about this problem? I use the path for 4.0 from http://www.appcelerator.com/blog/2016/03/update-on-recent-google-security-alerts/ ; and I resolve only the TrustManager problem; but the 'SSL Error Handler' is there anyway, reported by Google. I do not use any WebView in my code and I try using the app without any modules (right now only ti.maps). I need to use the last SDK ? Other Q: my backend services do not use SSL, is just http:// ; and in the port 8080. This can add problems? Google need SSL in the backend now? Thank you in advance, Carlos
Currently looking into this.
Master PR: https://github.com/appcelerator/titanium_mobile/pull/8154 Backport 5_4_X PR: https://github.com/appcelerator/titanium_mobile/pull/8155 (If needed)
[~ceperalta] Can you try out the PR and see if it helps you app get submitted?
Test-case: 1. Create a new Android app:
appc new2. Include the following codevar win = Ti.UI.createWindow(); var web = Ti.UI.createWebView({ ignoreSslError: true, url: "https://expired.badssl.com/" }); web.addEventListener("sslerror", function(e) { Ti.API.error("Event: sslerror"); Ti.API.error(JSON.stringify(e)); }); win.add(web); win.open();PR approved! The warning is not thrown anymore using the above setup. Anyway, I'd still be very happy to have some other users confirm the fix. The latest 5_4_X build can be taken from builds.appcelerator.com/#5_4_X shortly.
Cleaning up older fixed issues. If this issue should not have been closed as fixed, please reopen.