When I try to publish my app, the Google Play Console says that I have a vulnerability in my app due to SSL Error Handler. I followed the Google Help Center solution https://support.google.com/faqs/answer/7071387, and tried to publish again, but no success. I got in touch with Google Play Support, and they have answered me:
I took a look at your app, and version PET App of 10 has the following class, which contains a vulnerable version of SslErrorHandler:
And here is the code I'm using to handle the SslError:
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(SigpetActivity.this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
builder.setMessage(message+" Clique em 'CONTINUAR' para permitir o acesso ao Sigpet");
builder.setPositiveButton("continuar", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancelar", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
finish();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
I'm using no third party library for this, just android webkit WebClient.
How can I fix it to let them allow me to publish my app?
My guess is that Google doesn't like you calling
proceed()
orcancel()
asynchronously in anonClick
callback. Instead, you should do it synchronously in theonReceivedSslError()
method itself.