问题
Sorry for my english. I need load url https, i have some problems. When i try load page, webView give me error
primary error: 3 certificate: Issued to: CN=my-site.com;
Issued by: CN=GeoTrust DV SSL CA - G3,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US;
on URL: https://my-site.com/tutorial.php
if i create custom WebView client and redefine method onReceivedSslError like this:
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
handler.proceed();
}
Then when i will load this app to play market, people from google will say me:
Your APK has been rejected for containing security vulnerabilities, which violates the Malicious Behavior policy
I can fix this, do something like this:
final AlertDialog.Builder builder = new AlertDialog.Builder(WebViewTutorials.this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
message += " Do you want to continue anyway?";
builder.setTitle("SSL Certificate Error");
builder.setMessage(message);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
//handler.cancel();
finish();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
but for this app show user popUp window is unacceptable People from backend sayd me "It your problem on client". I don't know what me do, need show user webView page but not show popUp window whith warnings
回答1:
Hi your first problem is with your SSL certificate, the WebView does not to generate an HTTPS connection. Anyway the another problem is that you override the method onReceivedSslError and use handler.proceed(); without advise to the user that you use an no secure connection is an security vulnerability for android and for this reason the Play Store not allow to you to publish your apk.
The best approach is to correct the certificate problem for the app can comunicate with the server with an https connection.
Anyway, you can change the implementation of the method for example in this way to avoid the publish problem:
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("Continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("Cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
You can check the security section of android developers to get more information about this vulnerability and the correction.
来源:https://stackoverflow.com/questions/42468223/webview-ssl-error