Reputation: 1393
Android App is not approved with SSL Error Handler
I released a production Android app last month, but I had trouble with the SSL Error Handler.
I followed Stackoverfollow's and Google's tutorials, however Google doesn't still approve my app (note: this QA is not a duplicate).
My code is implemented the following:
Any Fragment or Activity that uses WebViewClient, I've controlled SSL Error like this
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
LogI("onReceivedSslError: " + error.getCertificate());
AlertDialog.Builder builder = new AlertDialog.Builder(ctx);
AlertDialog alertDialog = builder.create();
String message;
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
case SslError.SSL_DATE_INVALID:
message = "The date of the certificate is invalid.";
break;
default:
message = "A generic error occurred.";
break;
}
message += " Do you want to continue anyway?";
alertDialog.setTitle("SSL Certificate Error");
alertDialog.setMessage(message);
alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", (dialog, which) -> handler.proceed());
alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", (dialog, which) -> handler.cancel());
alertDialog.show();
}
So, Why is my app not approved? What should I do next?
Thank you for your advice!
Update 1: I released my app in 2019 and updated it many times (there was no problem). But from 2021/5 I've got this problem.
Upvotes: 1
Views: 2700
Answers (3)
Reputation: 1393
May these errors are from old APKs, AABs version, remove/deactivate it before submitting new APKs, AABs
Upvotes: 1
Reputation: 1324
This is the code I used in my App and it was accepted. The only difference I am seeing is the try-catch block. My suggestion will be to try a simpler version on Play Store first, then update that with the specific type error message.
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
try{
final AlertDialog.Builder builder = new AlertDialog.Builder(PaymentActivity.this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}catch (Exception e){
e.printStackTrace();
}
}
Upvotes: 0
Reputation: 19243
you have to call either handler.cancel(); (thats for your case) or super.onReceivedSslError(view, handler, error); straight inside onReceivedSslError. HERE you have some doc, in which:
The host application must call either SslErrorHandler#cancel or SslErrorHandler#proceed
and also
Application overrides of this method may display custom error pages or silently log issues, but it is strongly recommended to always call SslErrorHandler#cancel and never allow proceeding past errors.
without any of these calls some Google bot which checks apps may think, that you are disabling any SSL validation at all, which may be insecure for user
Upvotes: 2
Related Questions
- android Google Play Warning: SSL Error Handler Vulnerability
- How to fix the Google Play Warning: SSL Error Handler Vulnerability
- Google Play app rejected - SSL Error Handler
- App rejected by Google Play
- SSL Warning from google play
- Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL
- Android X509TrustManager app rejected google play
- Google Play Warning: SSL Error Handler Vulnerability
- SSL request from Android app
- Error of ssl certificate not trusted in Android