android – Google Play安全警报 – 您的应用正在使用HostnameVerifier的不安全实现

前端之家收集整理的这篇文章主要介绍了android – Google Play安全警报 – 您的应用正在使用HostnameVerifier的不安全实现前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
最近我的一个应用程序收到了来自Google Play的安全警报,如下所示.

您的应用程序正在使用HostnameVerifier的不安全实现.有关修复和截止日期的详细信息,请参阅Google Play Help Center文章链接.

以下是我的代码.

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){ 
    public boolean verify(String arg0,SSLSession arg1) {
        return true;
}});

任何人都可以通过示例来解释,我应该做些什么更改来修复此警告?

解决方法

同样在这里 – 在APK中检测到不安全的主机名验证程序

Your app is using an unsafe implementation of HostnameVerifier. Please
see this Google Help Center article for details,including the
deadline for fixing the vulnerability. Im not using HostnameVerifier
and not calling setDefaultHostnameVerifier. Moreover – Im using OKHTTP
lib for http-requests. I hope that defining TrustManager will solve
this issue.

由于我不是子类化HostnameVerifier或调用setDefaultHostnameVerifier(),我认为它依赖于某些第三方库.由于我无法检测到这样的lib,我想我会尝试添加一个包含以下代码的类

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    public boolean verify(final String hostname,final SSLSession session) {
        if (/* check if SSL is really valid */)
            return true;
        else
            return false;
    }
});

到我的项目,将看看它是否解决了这个问题.
所以我做了它,除了每个webView我都添加了重写方法

@Override
public void onReceivedSslError(WebView view,final SslErrorHandler handler,SslError error) {
    // the main thing is to show dialog informing user
    // that SSL cert is invalid and prompt him to continue without 
    // protection: handler.proceed();
    // or cancel: handler.cancel();
    String message;
    switch(error.getPrimaryError()) {
        case SslError.SSL_DATE_INVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_date_invalid);
            break;
        case SslError.SSL_EXPIRED:
            message = ResHelper.getString(R.string.ssl_cert_error_expired);
            break;
        case SslError.SSL_IDMISMATCH:
            message = ResHelper.getString(R.string.ssl_cert_error_idmismatch);
            break;
        case SslError.SSL_INVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_invalid);
            break;
        case SslError.SSL_NOTYETVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_not_yet_valid);
            break;
        case SslError.SSL_UNTRUSTED:
            message = ResHelper.getString(R.string.ssl_cert_error_untrusted);
            break;
        default:
            message = ResHelper.getString(R.string.ssl_cert_error_cert_invalid);
    }
    mSSLConnectionDialog = new MaterialDialog.Builder(getParentActivity())
            .title(R.string.ssl_cert_error_title)
            .content(message)
            .positiveText(R.string.continue_button)
            .negativeText(R.string.cancel_button)
            .titleColorRes(R.color.black)
            .positiveColorRes(R.color.main_red)
            .contentColorRes(R.color.comment_grey)
            .backgroundColorRes(R.color.sides_menu_gray)
            .onPositive(new MaterialDialog.SingleButtonCallback() {
                @Override
                public void onClick(MaterialDialog materialDialog,DialogAction dialogAction) {
                    mSSLConnectionDialog.dismiss();
                    handler.proceed();
                }
            })
            .onNegative(new MaterialDialog.SingleButtonCallback() {
                @Override
                public void onClick(MaterialDialog materialDialog,DialogAction dialogAction) {
                    handler.cancel();
                }
            })
            .build();
    mSSLConnectionDialog.show(); 
}

到了

mWebView.setWebViewClient(new WebViewClient() {
... // other corresponding overridden methods
}

最后谷歌说:

SECURITY SCAN COMPLETE
No known vulnerabilities were detected for APK 158.

但是我不确定mWebView.setWebViewClient的代码是什么,HostNameVerifier或onReceivedSslError().注意:HostNameVerifier.setDefaultHostnameVerifier()不应该像在代码中一样返回true!它必须实现一些逻辑来检查它是否都可以使用SSL并返回true或false.这很重要.

猜你在找的Android相关文章