Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL

Question

I am contributor for a shared library project that just received notice one of our customers received this warning from the Google Play Store,

Hello Google Play Developer, In July, the app submissions listed at the end of this email were rejected due to an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. This implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

When looking into our AuthorizationWebViewClient which extends WebViewClient, we do not implement onReceivedSslErrorHandler, meaning we fall under the default implementation putting this library in the clear.

Can we get confirmation if this is a false positive or if there are changes that have to be made to this library?

UPDATE: This was due to the version of the SDK used being much older when this vulnerability was present, the current codebase does not have this issue hence the disconnect.

Our implementation does override [`onReceivedError(...)`](https://github.com/OfficeDev/msa-auth-for-android/blob/master/src/main/java/com/microsoft/services/msa/AuthorizationRequest.java#L136) but I would expect that to be unrelated to this warning. — Peter Nied, Sep 22 '16 at 16:39

Antimony · Accepted Answer · 2016-10-07T20:51:07.377

1

I'm not sure what the specific app in question is, but there are apps which have a vulnerable com.microsoft.services.msa.AuthorizationRequest$OAuthDialog$AuthorizationWebViewClient.

For example, disassembling the code of one app shows that it does in fact have an onReceivedSslErrorHandler implementation.

.method public onReceivedSslError(Landroid/webkit/WebView;Landroid/webkit/SslErrorHandler;Landroid/net/http/SslError;)V
    .registers 4
    .param p1, "view"    # Landroid/webkit/WebView;
    .param p2, "handler"    # Landroid/webkit/SslErrorHandler;
    .param p3, "error"    # Landroid/net/http/SslError;

    .prologue
    .line 143
    invoke-virtual {p2}, Landroid/webkit/SslErrorHandler;->proceed()V

    .line 144
    return-void
.end method

edited Oct 07 '16 at 20:51

answered Oct 04 '16 at 18:56

Antimony

37,781
10
100
107

Thanks, this was fixed in a release over a year ago, and it looks like this product hasn't upgraded their version. It took a bunch of time to track down that this was an issue in the past. Would it be possible to have all module versions listed in the warning message send to developers to quicken discovery and resolution? – Peter Nied Oct 06 '16 at 19:04
The problem is that there is no general way to know why given code was included in an app (whether it is part of an sdk, and if so which version). Also, every SDK has it's own versioning scheme, and some apps are obfuscated. – Antimony Oct 07 '16 at 01:00
You can overcome those technical challenges to make a scary experience more approachable. I believe in you guys! – Peter Nied Oct 07 '16 at 23:04

Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL

1 Answers1