{ "id": "159686", "key": "TIMOB-23676", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [ { "id": "16980", "description": "New V8", "name": "Release 6.0.0", "archived": false, "released": true, "releaseDate": "2016-11-15" }, { "id": "17706", "name": "Release 5.4.0", "archived": false, "released": true, "releaseDate": "2016-08-11" } ], "resolution": { "id": "1", "description": "A fix for this issue is checked into the tree and tested.", "name": "Fixed" }, "resolutiondate": "2016-07-25T07:33:49.000+0000", "created": "2016-04-19T07:52:11.000+0000", "priority": { "name": "Critical", "id": "1" }, "labels": [ "android", "sdk-5.2.2", "ssl", "webview" ], "versions": [], "issuelinks": [ { "id": "53906", "type": { "id": "10003", "name": "Relates", "inward": "relates to", "outward": "relates to" }, "outwardIssue": { "id": "165238", "key": "TIMOB-24287", "fields": { "summary": "Android: Soasta Touchtest module causing the app being rejected from Play Store", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "priority": { "name": "Medium", "id": "3" }, "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false } } } } ], "assignee": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "updated": "2018-08-06T17:49:28.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "10202", "name": "Android", "description": "Android Platform" } ], "description": "I have received this alert after publishing my app on google pay\r\n\r\nSecurity alert\r\nYour application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.\r\nTo properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. An email alert containing the affected app(s) and class(es) has been sent to your developer account address.\r\nPlease address this vulnerability as soon as possible and increment the version number of the upgraded APK. For more information about the SSL error handler, please see our documentation in the Developer Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.” If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.\r\nTo confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. If the app hasn't been correctly upgraded, we will display a warning.\r\nPlease note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.\r\nPlease ensure all apps published are compliant with the Developer Distribution Agreement and Content Policy. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center.\r\n\r\n\r\nim using SDK 5.2.2\r\n\r\n\r\n\r\n\r\nin my controller\r\n{code}\r\n\t$.winHome.addEventListener('load',function(e) {\r\n\t\tif(fb.loggedin()){\r\n\t\t\tfb.getUserData(function(data){\r\n\t\t\t\t$.winHome.evalJS(\"init(\"+JSON.stringify(data)+\");\");\r\n\t\t\t});\r\n\t\t}\r\n\t});\r\n{code}\r\n\r\nin my html file\r\n{code}\r\nTi.App.fireEvent('mapListener',{op:'view',id:rId});\r\n{code}\r\n\r\n", "attachment": [ { "id": "59000", "filename": "Sans titre.png", "author": { "name": "hamzaezzi", "key": "hamzaezzi", "displayName": "hamza ezzi", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-04-19T07:51:55.000+0000", "size": 118789, "mimeType": "image/png" } ], "flagged": false, "summary": "Security alert : Google Play Warning: WebViewClient.onReceivedSslError handler", "creator": { "name": "hamzaezzi", "key": "hamzaezzi", "displayName": "hamza ezzi", "active": true, "timeZone": "Europe/Berlin" }, "subtasks": [], "reporter": { "name": "hamzaezzi", "key": "hamzaezzi", "displayName": "hamza ezzi", "active": true, "timeZone": "Europe/Berlin" }, "environment": "Titanium SDK 5.2.2\r\nAndroid", "comment": { "comments": [ { "id": "383102", "author": { "name": "nsalahin", "key": "nsalahin", "displayName": "Nazmus Salahin", "active": true, "timeZone": "Asia/Dhaka" }, "body": "Hello,\r\nThanks for reporting. The issue seems to be related to implementation of web view. Please share with us code snippet where you use web view. Also please share the implementation of event listener of the web view. If you are using any other Appcelerator module or third party modules please let us know.\r\nThanks in advance\r\n", "updateAuthor": { "name": "nsalahin", "key": "nsalahin", "displayName": "Nazmus Salahin", "active": true, "timeZone": "Asia/Dhaka" }, "created": "2016-04-19T09:01:57.000+0000", "updated": "2016-04-19T09:01:57.000+0000" }, { "id": "383112", "author": { "name": "hamzaezzi", "key": "hamzaezzi", "displayName": "hamza ezzi", "active": true, "timeZone": "Europe/Berlin" }, "body": "updated the description with content controller and html file\r\n\r\nin my controller\r\n{code}\r\n $.winHome.addEventListener('load',function(e) {\r\n\t\tif(fb.loggedin()){\r\n\t\t\tfb.getUserData(function(data){\r\n\t\t\t\t$.winHome.evalJS(\"init(\"+JSON.stringify(data)+\");\");\r\n\t\t\t});\r\n\t\t}\r\n\t});\r\n{code}\r\n\r\nin my html file\r\n{code}\r\n Ti.App.fireEvent('mapListener',{op:'view',id:rId});\r\n{code}\r\n", "updateAuthor": { "name": "nsalahin", "key": "nsalahin", "displayName": "Nazmus Salahin", "active": true, "timeZone": "Asia/Dhaka" }, "created": "2016-04-19T10:09:33.000+0000", "updated": "2016-04-20T11:40:45.000+0000" }, { "id": "383320", "author": { "name": "nsalahin", "key": "nsalahin", "displayName": "Nazmus Salahin", "active": true, "timeZone": "Asia/Dhaka" }, "body": "Hi,\r\nPlease let us know if you used \"sslerror\" event listener. Also please let us know if you used any module in your project. If you can provide test code and steps to reproduce it will be possible for us to test the problem.\r\n\r\nThanks", "updateAuthor": { "name": "nsalahin", "key": "nsalahin", "displayName": "Nazmus Salahin", "active": true, "timeZone": "Asia/Dhaka" }, "created": "2016-04-20T12:00:45.000+0000", "updated": "2016-04-20T12:00:45.000+0000" }, { "id": "383326", "author": { "name": "hamzaezzi", "key": "hamzaezzi", "displayName": "hamza ezzi", "active": true, "timeZone": "Europe/Berlin" }, "body": "im not using sslerror event listener, and my webview contain only *one local html page* \"index.html\"\r\n\r\nthe example above, it's a part of my apps and can't give you the hole program, but i can say that i don't have nothing special, nothing !!!\r\n\r\nmy controller send facebookdata to html view, and my html when we click to a button send the id to the controller.\r\n\r\nno extrenal html page\r\nno extrenal js file\r\n\r\nim using \r\n\r\n- module facebook existing in SDK\r\n- module AdMob for iOS and Android (maybe this module create issue, i pruchased it from \r\nhttps://marketplace.appcelerator.com/apps/33910\r\n- module inappbilling from appcelerator-modules github\r\n\r\nthat's all", "updateAuthor": { "name": "hamzaezzi", "key": "hamzaezzi", "displayName": "hamza ezzi", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-04-20T12:28:32.000+0000", "updated": "2016-04-20T12:32:21.000+0000" }, { "id": "383350", "author": { "name": "sdarda", "key": "sdarda", "displayName": "Sharif AbuDarda", "active": false, "timeZone": "Asia/Dhaka" }, "body": "Hello, \r\n\r\nPlease create a sample project with only the webview component and the related functions. Don't use any other module in the app. See if the app published successfully in the playstore. It will be helpfull to investigate and pin point the issue if you try reducing the app into different sections and try inplementing the sections one by one. Also, if you were able to figure out the section that is having problem. Please send the project to us for further investigation. \r\n\r\nRegards,\r\nSharif", "updateAuthor": { "name": "sdarda", "key": "sdarda", "displayName": "Sharif AbuDarda", "active": false, "timeZone": "Asia/Dhaka" }, "created": "2016-04-20T14:31:52.000+0000", "updated": "2016-04-20T14:31:52.000+0000" }, { "id": "386616", "author": { "name": "fokkezb", "key": "fokke", "displayName": "Fokke Zandbergen", "active": true, "timeZone": "Europe/Amsterdam" }, "body": "[~shossain] I think this issue is very much like TIMOB-20431 and it doesn't matter what APIs you actually use or not. There's seems to be something wrong with the implementation here:\r\n\r\nhttps://github.com/appcelerator/titanium_mobile/blob/86f2fcdff190c4134db75024a97cc9395dd8869f/android/modules/ui/src/java/ti/modules/titanium/ui/widget/webview/TiWebViewClient.java#L182\r\n\r\nAlso reported on SO:\r\nhttp://stackoverflow.com/q/37377387/4626813", "updateAuthor": { "name": "fokkezb", "key": "fokke", "displayName": "Fokke Zandbergen", "active": true, "timeZone": "Europe/Amsterdam" }, "created": "2016-05-24T12:25:04.000+0000", "updated": "2016-05-24T12:25:04.000+0000" }, { "id": "391189", "author": { "name": "ceperalta", "key": "ceperalta", "displayName": "Carlos Peralta", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Hello,\r\nAny update about this problem? I use the path for 4.0 from http://www.appcelerator.com/blog/2016/03/update-on-recent-google-security-alerts/ ; and I resolve only the TrustManager problem; but the 'SSL Error Handler' is there anyway, reported by Google. I do not use any WebView in my code and I try using the app without any modules (right now only ti.maps).\r\n\r\nI need to use the last SDK ?\r\n\r\nOther Q: my backend services do not use SSL, is just http:// ; and in the port 8080. This can add problems? Google need SSL in the backend now?\r\n\r\n\r\nThank you in advance,\r\nCarlos", "updateAuthor": { "name": "ceperalta", "key": "ceperalta", "displayName": "Carlos Peralta", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2016-07-21T12:46:26.000+0000", "updated": "2016-07-21T12:46:26.000+0000" }, { "id": "391359", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "Currently looking into this.", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2016-07-25T01:59:50.000+0000", "updated": "2016-07-25T01:59:50.000+0000" }, { "id": "391361", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "Master PR: https://github.com/appcelerator/titanium_mobile/pull/8154\r\nBackport 5_4_X PR: https://github.com/appcelerator/titanium_mobile/pull/8155 (If needed)", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2016-07-25T02:48:45.000+0000", "updated": "2016-07-25T02:48:45.000+0000" }, { "id": "391364", "author": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "body": "[~ceperalta] Can you try out the PR and see if it helps you app get submitted?", "updateAuthor": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-07-25T04:30:53.000+0000", "updated": "2016-07-25T04:30:53.000+0000" }, { "id": "391394", "author": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "body": "Test-case:\r\n\r\n1. Create a new Android app: {{appc new}}\r\n2. Include the following code\r\n{code:javascript}\r\nvar win = Ti.UI.createWindow();\r\n\r\nvar web = Ti.UI.createWebView({\r\n ignoreSslError: true,\r\n url: \"https://expired.badssl.com/\"\r\n});\r\n\r\nweb.addEventListener(\"sslerror\", function(e) {\r\n Ti.API.error(\"Event: sslerror\");\r\n Ti.API.error(JSON.stringify(e));\r\n});\r\n\r\nwin.add(web);\r\nwin.open();\r\n{code}\r\n3. Upload the application to Google Play", "updateAuthor": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-07-25T07:06:56.000+0000", "updated": "2016-07-25T07:06:56.000+0000" }, { "id": "391396", "author": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "body": "PR approved! The warning is not thrown anymore using the above setup. Anyway, I'd still be very happy to have some other users confirm the fix. The latest 5_4_X build can be taken from builds.appcelerator.com/#5_4_X shortly.", "updateAuthor": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-07-25T07:33:49.000+0000", "updated": "2016-07-25T07:33:49.000+0000" }, { "id": "440181", "author": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Cleaning up older fixed issues. If this issue should not have been closed as fixed, please reopen.", "updateAuthor": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2018-08-06T17:49:28.000+0000", "updated": "2018-08-06T17:49:28.000+0000" } ], "maxResults": 16, "total": 16, "startAt": 0 } } }