WebViewClient.onReceivedSslErrorHandler.

guruk · August 26, 2016, 2:00pm

Hi, for an older app of mine i got a google warning

We detected that your app(s) listed at the end of this email are using an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. You can also see the list of affected apps, as well as details such as version numbers and class names, on the Alerts page in your Developer Console.

Your current implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView’s content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

came that fixed in a later Daily Build??

I reported it already Dec 2015, but never got an answer

greets

chris

rob · August 26, 2016, 3:47pm

I’ll see what Engineering knows about it.

Rob

Ajay_McCaleb · August 26, 2016, 10:03pm

Hi guruk,

For the app that’s gotten this warning, what plugins (if any) does it include?

The core Android code doesn’t override that specific method (WebViewClient.onReceivedSslError()) with anything special, but the default implementation of that method cancels any loads that encounter any SSL errors.

See source code here.

guruk · August 27, 2016, 9:30am

about ‘what’ plugin could make the problem i dont know

at this time i had following plugins included (dec 2015)

[“plugin.coronaAds”] =

[“plugin.applovin”] =

[“plugin.google.play.services”] =

[“CoronaProvider.ads.inmobi”] =

[“CoronaProvider.ads.vungle”] =

rob · August 26, 2016, 3:47pm