Codenameone Google Play Warning: SSL Error Handler Vulnerability

Question

I developed an app using the platform codename one, after submit the app in Play Store I received the following warning email:

*"We detected that your app(s) listed at the end of this email are using an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. You can also see the list of affected apps, as well as details such as version numbers and class names, on the Alerts page in your Developer Console.

Your current implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

What’s happening

Beginning November 25, 2016, Google Play will block publishing of any new apps or updates that contain this vulnerability. Your published APK version will remain unaffected, however any updates to the app will be rejected unless you address this vulnerability. Action required

• To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
• If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
• After making changes, sign in to your Developer Console and submit the updated version of your app.
• Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly."*

I was researching but unfortunately I didn't find anything about that. I think that maybe is an internal issue of the platform but not sure. What do you think?

Thanks in advance.

Answer 1

You can look thru the sources of the Codename One port and see that there is no usage of that method:

https://github.com/codenameone/CodenameOne/blob/master/Ports/Android/src/com/codename1/impl/android/AndroidImplementation.java#L3768

So there is no such violation within Codename One as far as I can tell. There are thus two options I can think of:

1. Google is wrong - wouldn't be the first time with those guys... + I submitted a Codename One Android app just the other day and didn't get such an error

2. You added a 3rd party cn1lib/extension/native code to your project which you can verify by looking under android/native or within the lib directory to see if you have anything in the former or a .cn1lib file in the latter.

Answer 2

Not properly validating the certificate of a SSL connection is a serious issue because this way you effectively weaken the protection offered by SSL a lot and allow easy man in the middle attacks. This way an attacker might sniff the transferred data and even modify the data. Thus the issue should be fixed.

But with the currently shown information it is impossible to say if the error is in your (unknown) code or some (unknown) third party library or in the wrong usage of a third partly library. But a common cause for such errors is that one is trying to use a self-signed certificate and switches off validation for this purpose. Another common cause is the intention to switch off validation for development only but then inadvertently fail to enable it again for production.