Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL

Question

I am contributor for a shared library project that just received notice one of our customers received this warning from the Google Play Store,

Hello Google Play Developer, In July, the app submissions listed at the end of this email were rejected due to an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. This implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

When looking into our AuthorizationWebViewClient which extends WebViewClient, we do not implement onReceivedSslErrorHandler, meaning we fall under the default implementation putting this library in the clear.

Can we get confirmation if this is a false positive or if there are changes that have to be made to this library?

UPDATE: This was due to the version of the SDK used being much older when this vulnerability was present, the current codebase does not have this issue hence the disconnect.

Answer 1

I'm not sure what the specific app in question is, but there are apps which have a vulnerable com.microsoft.services.msa.AuthorizationRequest$OAuthDialog$AuthorizationWebViewClient.

For example, disassembling the code of one app shows that it does in fact have an onReceivedSslErrorHandler implementation.

.method public onReceivedSslError(Landroid/webkit/WebView;Landroid/webkit/SslErrorHandler;Landroid/net/http/SslError;)V
    .registers 4
    .param p1, "view"    # Landroid/webkit/WebView;
    .param p2, "handler"    # Landroid/webkit/SslErrorHandler;
    .param p3, "error"    # Landroid/net/http/SslError;

    .prologue
    .line 143
    invoke-virtual {p2}, Landroid/webkit/SslErrorHandler;->proceed()V

    .line 144
    return-void
.end method