android-security | 易学教程

android Google Play Warning: SSL Error Handler Vulnerability

阅读更多关于 android Google Play Warning: SSL Error Handler Vulnerability

问题 I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler"] and they recommended me to ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and

Android: Removing OpenCV older version will resolve Libpng Vulnerability warning?

阅读更多关于 Android: Removing OpenCV older version will resolve Libpng Vulnerability warning?

I got an email from Google play store regarding - "Google Play warning: You are using a vulnerable version of libpng". Email contains the below information - https://support.google.com/faqs/answer/7011127 I didn't use libpng library in my application anywhere. But, In my android application, I am using the OpenCV2.4.5 library. After searching in the internet, I came to know that the OpenCV library uses the libpng. My question - The upgrading of OpenCV2.4.5 to OpenCV3.1.0 will resolve "vulnerable version of libpng" warning? Yes, now confirmed with Google: Updating to 3.1.0 will fix the issue -

an unsafe implementation of the interface X509TrustManager from google

阅读更多关于 an unsafe implementation of the interface X509TrustManager from google

问题 I hava an app in Google Play, I received a mail from Google saying that: Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom

Google Play Security Alert - Your app is using an unsafe implementation of the HostnameVerifier

阅读更多关于 Google Play Security Alert - Your app is using an unsafe implementation of the HostnameVerifier

问题 Recently one of my app got a security alert from Google Play as below. You app is using an unsafe implementation of the HostnameVerifier. And refer a link to Google Play Help Center article for details regarding to fixing and deadline of vulnerability. Below is my code. HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){ public boolean verify(String arg0, SSLSession arg1) { return true; }}); Anyone can explain with example about, what changes should I do to fix this warning?

How to determine which dependency causes Google Play OpenSSL warning?

阅读更多关于 How to determine which dependency causes Google Play OpenSSL warning?

I'm currently working on a big legacy project and trying to fix the OpenSSL vulnerability issue as explained at How to address OpenSSL vulnerabilities in your apps . The problem is, there are lot of dependencies, some are open source (I updated all that didn't break the compatibility) added as Gradle import, some are custom/closed source provided by partners and contractors of the company I work for and attached to the project as JARs. Is there any way to pinpoint specific library that has this vulnerability? I used the bash script provided at Google Play and OpenSSL warning message and it

Google Play security alert for insecure TrustManager

阅读更多关于 Google Play security alert for insecure TrustManager

问题 In one of my apps I'm using HTTPS with a self-signed certificate and followed the sample code from the android developer training site (https://developer.android.com/training/articles/security-ssl.html#UnknownCa). I recently got the following alert saying that the current implementation is not secured: Security alert Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center

Android: Removing OpenCV older version will resolve Libpng Vulnerability warning?

阅读更多关于 Android: Removing OpenCV older version will resolve Libpng Vulnerability warning?

问题 I got an email from Google play store regarding - \"Google Play warning: You are using a vulnerable version of libpng\". Email contains the below information - https://support.google.com/faqs/answer/7011127 I didn\'t use libpng library in my application anywhere. But, In my android application, I am using the OpenCV2.4.5 library. After searching in the internet, I came to know that the OpenCV library uses the libpng. My question - The upgrading of OpenCV2.4.5 to OpenCV3.1.0 will resolve \

Webview avoid security alert from google play upon implementation of onReceivedSslError

阅读更多关于 Webview avoid security alert from google play upon implementation of onReceivedSslError

问题 I have a link which will open in webview. The problem is it cannot be open until I override onReceivedSslError like this: @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); } I am getting security alert from google play saying: Security alert Your application has an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your