Backendless Support
 
Answered

App has received warning about onReceivedSslError

I recently got this warning from Google Play saying:

""Google Play Warning: SSL Error Handler Vulnerability".["unsafe implementation of the WebViewClient.onReceivedSslError handler"

I don't even use the WebView class/library anywhere in my app. So can it be possible I've implemented something with Backendless SDK wrong? It's the only thing in my code I can imagine causing this since it's only Backendless making connection to the outside world in my app.

Leave a Comment

Comments (14)

photo
1

I've now got confirmation on which class is causing it.

The security issue is inherited from "- Lcom/backendless/SocialAsyncCallback$1; "

Could any admin take a look at this since it might affect other users of Backendless as well?

photo
1

Here's the listing of SocialAsyncCallback:

https://github.com/Backendless/Android-SDK/blob/master/src/com/backendless/SocialAsyncCallback.java

The class uses android.webkit.WebView (which is an Android class). Sounds like google is not happy with the class they actually wrote? :)

photo
1

how to resolve this issue?

photo
1

I'm working on it. I've never had this issue before, but I would guess we would need to find where in our code we are using the SocialAsyncCallback. Personally I don't use it directly , but perhaps some other class from Backendless extends or implements that class.

photo
1

It is used internally for social logins. I'd like to repeat - the problem is not in SocialAsyncCallback, but in the webview class used by it (android.webkit.WebView).

photo
photo
1

Hey guys, how to fix it?

I understand that google behaviour sometimes very stupid, but I don't want that they will remove my app from playmarket.

Maybe we can exclude this file and all it's extending classes, if we not use it on project?

photo
1

I temporary disabled backendless on my project and published app without it.

Hope you will find solution or it will be resolved on google side.

message from google:

Security alert

Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. An email alert containing the affected app(s) and class(es) has been sent to your developer account address.

Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. For more information about the SSL error handler, please see our documentation in the Developer Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.” If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.

To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. If the app hasn't been correctly upgraded, we will display a warning.

Please note, while these specific issues may not affect every app that uses WebView SSL, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Please ensure all apps published are compliant with the Developer Distribution Agreement and Content Policy. If you have questions or concerns, please contact our support team through the Google Play Developer Help Center.

Affects APK version 75.

photo
1

The code has been changed in this branch and is in QA now.

photo
1

when will it be available?

photo
photo
1

It will be available today or tomorrow. We will notify you

photo
1

now it is available on github https://github.com/Backendless/Android-SDK/blob/master/out/backendless.jar?raw=true

it will be available on our site and central maven a little bit later

photo
1

Thank you!

photo
1

how to use this new backendless.jar?

photo
1

Dheeraj, please read the Quick Start guide

photo