Google からの警告
Googleから以下のメールが届きました。
Hello Google Play Developer,
Your app listed at the end of this email has an unsafe implementation of
the WebViewClient.onReceivedSslError handler. Specifically, the
implementation ignores all SSL certificate validation errors, making your
app vulnerable to man-in-the-middle attacks. An attacker could change the
affected WebView's content, read transmitted data (such as login
credentials), and execute code inside the app using JavaScript.
Please address this vulnerability as soon as possible and increment the
version number of the upgraded APK. To properly handle SSL certificate
validation, change your code to invoke SslErrorHandler.proceed() whenever
the certificate presented by the server meets your expectations, and invoke
SslErrorHandler.cancel() otherwise. If you are using a 3rd party library
that's responsible for this, please notify the 3rd party and work with them
to address the issue.
For more information about the SSL error handler, please see our
documentation in the Android Developers Help Center. For other technical
questions, you can post to Stack Overflow and use the tags
“android-security” and “SslErrorHandler.”
To confirm you've upgraded correctly, submit the updated version to the
Developer Console and check back after five hours. If the app hasn't been
upgraded correctly, we will display a warning.
While these specific issues may not affect every app that uses WebView SSL,
it's best to stay up to date on all security patches. Apps with
vulnerabilities that expose users to risk of compromise may be considered
Dangerous Products in violation of the Content Policy and section 4.4 of
the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Content
Policy. If you feel we have sent this warning in error, contact our policy
support team through the Google Play Developer Help Center.
Regards,
The Google Play Team
©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You have received this mandatory email service
announcement to update you about important changes to your Google Play
Developer account.
Affected app(s), version(s), and class(es):
不正なSSL証明書の扱いに脆弱性があるため修正して、とのこと。
早速ggるとQiitaの先人のポストがヒット。ありがたいことです。
WebViewClient.onReceivedSslErrorのセキュリティアラートの対処法
http://qiita.com/hymmr/items/218e15541191a7a681e4
不正な証明書に遭遇した場合は、ダイアログを出してユーザーに処理を進めるか選ばせるソリューションです。
素晴らしい!
そのまま対応してもいいんですが、クラス化してみました。
SSL証明書エラー時にダイアログを出力するクラス
SslAlertDialog.java
import android.app.Activity;
import android.app.AlertDialog;
import android.webkit.SslErrorHandler;
import android.content.DialogInterface;
/**
* SSLアラート専用ダイアログクラス<br>
* 証明書が正しくない時にユーザーに処理を進めるかどうするか選ばせる
*/
public class SslAlertDialog {
private SslErrorHandler handler = null;
private AlertDialog dialog = null;
public SslAlertDialog(SslErrorHandler errorHandler, Activity activity) {
if (errorHandler == null || activity == null) return;
handler = errorHandler;
AlertDialog.Builder builder = new AlertDialog.Builder(activity);
builder.setMessage("ssl証明書が正しくありません。ページを開きますか?");
builder.setPositiveButton("yes", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("no", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
dialog = builder.create();
}
public void show() {
dialog.show();
}
}
使い方
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
SslAlertDialog dialog = new SslAlertDialog(handler, HogeActivity.this);
dialog.show();
}
突然googleから警告が届いたら試してみてください。