Giters

FieldDB / FieldDB

An offline/online field database which adapts to its user's terminology and I-Language. http://fielddb.github.io

Home Page:http://lingsync.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Google Play Warning: SSL Error Handler Vulnerability

cesine opened this issue · comments

commented

Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are using an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. You can also see the list of affected apps, as well as details such as version numbers and class names, on the Alerts page in your Developer Console.

Your current implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

What’s happening

Beginning November 25, 2016, Google Play will block publishing of any new apps or updates that contain this vulnerability. Your published APK version will remain unaffected, however any updates to the app will be rejected unless you address this vulnerability.

Action required

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
After making changes, sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.
We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Regards,

The Google Play Team

Affected app(s) and version(s) are listed below. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

ca.labs.anomiaforme
1

ca.labs.bilingualaphasiatest
11

ca.labs.oprime
1

ca.labs.spyornot
1

com.github.old.android.lessons
2

com.github.old.repo.lessons.georgian
5

com.github.old.repo.speech.kartuli
9

org.example.fieldlinguistics
2