App rejected by Google Play

Question

Im developing an Android App which contains Social Networking Login. After this issue, I removed the class which contains "WebViewClient.onReceivedSslError". But when I upload the App in Google Play Store, it got rejected with the following error.

"How to address WebView SSL Error Handler alerts in your apps."

Im also using the class for sending the mail in background without Intent. This uses "SSL" and "TrustManagerFactory.X509". Will this is the reason for rejection? I suppose if this is the reason for rejection, then I might get someother error like " App Rejected By Google Play Store due to unsafe implementation of the X509TrustManager".

Looking for support. Thanks in advance.

---

This is the message Im getting from Google Play.

Hello Google Play Developer,

We rejected VISApp, with package name com.avonmobility.visapp, for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.

This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s) SSL Error Handler For more information on how to address WebView SSL Error Handler alerts, please see this Google Help Center article.

15 To confirm you’ve upgraded correctly, submit the updated version of your app to the Developer Console and check back after five hours to make sure the warning is gone.

While these vulnerabilities may not affect every app that uses this software, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known security issues, even if you're not sure the issues are relevant to your app.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.

If you feel we have made this determination in error, please reach out to our developer support team.

Best,

The Google Play Team

Answer 1

To Solve Google Play Warning: WebViewClient.onReceivedSslError handler

Not Always force to handler.proceed(); but you have to also include handler.cancel(); so user can avoid unsaif content from loading.

To Handle unsafe implementation of the WebViewClient.onReceivedSslError handler

use the following code

 webView.setWebViewClient(new SSLTolerentWebViewClient());
 webView.loadUrl(myhttps url);

Than

 private class SSLTolerentWebViewClient extends WebViewClient {
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {

    AlertDialog.Builder builder = new AlertDialog.Builder(Tab1Activity.this);
    AlertDialog alertDialog = builder.create();
    String message = "SSL Certificate error.";
    switch (error.getPrimaryError()) {
        case SslError.SSL_UNTRUSTED:
            message = "The certificate authority is not trusted.";
            break;
        case SslError.SSL_EXPIRED:
            message = "The certificate has expired.";
            break;
        case SslError.SSL_IDMISMATCH:
            message = "The certificate Hostname mismatch.";
            break;
        case SslError.SSL_NOTYETVALID:
            message = "The certificate is not yet valid.";
            break;
    }

    message += " Do you want to continue anyway?";
    alertDialog.setTitle("SSL Certificate Error");
    alertDialog.setMessage(message);
    alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            // Ignore SSL certificate errors
            handler.proceed();
        }
    });

    alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {

            handler.cancel();
        }
    });
    alertDialog.show();
}
}

You Have To Alert User For SSL So Google Will Allow Your App To Do This

Answer 2

I also had SSLCertification issue at the time uploading singed apk.
you have to return true for all your trusted http hosts including 3rd party libraries http.

Here i am putting how i solved that issue, sorry for security i didn't put original path of links, these Link Helps me.

     TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            X509Certificate[] myTrustedAnchors = new X509Certificate[0];
            return myTrustedAnchors;
        }

        @Override
        public void checkClientTrusted(X509Certificate[] certs, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] certs, String authType) {
        }
      }};
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession arg1) {
                if (hostname.equalsIgnoreCase("demo.mysite.com") ||
                        hostname.equalsIgnoreCase("prod.mysite.com") ||
                        hostname.equalsIgnoreCase("22.2.202.22:3333") ||
                        hostname.equalsIgnoreCase("cloud.cloudDeveSite.net") ||                            
                        hostname.equalsIgnoreCase("11.2.222.22:2222") ||
                        hostname.equalsIgnoreCase("multispidr.3rdPartyLibrary.io")) {
                    return true;
                } else {
                    return false;
                }
            }
        });

Mentioned all api's which having SSLCertification issue, you also have to mention 3rd party api's too, you will get those HTTP links in error at the time when you run that code.

Answer 3

same problem for me add this in your project create one class .

                  import org.apache.http.HttpVersion;
       import org.apache.http.conn.ClientConnectionManager;
        import org.apache.http.conn.scheme.PlainSocketFactory;
        import org.apache.http.conn.scheme.Scheme;
       import org.apache.http.conn.scheme.SchemeRegistry;
     import org.apache.http.conn.ssl.SSLSocketFactory;
    import org.apache.http.impl.client.DefaultHttpClient;
        import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
      import org.apache.http.params.BasicHttpParams;
                                import org.apache.http.params.HttpParams;
    import org.apache.http.params.HttpProtocolParams;
       import org.apache.http.protocol.HTTP;

          import java.io.BufferedInputStream;
     import java.io.IOException;
      import java.io.InputStream;
     import java.net.Socket;
     import java.security.KeyManagementException;
     import java.security.KeyStore;
   import java.security.KeyStoreException;
   import java.security.NoSuchAlgorithmException;
   import java.security.UnrecoverableKeyException;
     import java.security.cert.Certificate;
       import java.security.cert.CertificateException;
     import java.security.cert.CertificateFactory;
       import java.security.cert.X509Certificate;

        import javax.net.ssl.HttpsURLConnection;
         import javax.net.ssl.SSLContext;
     import javax.net.ssl.TrustManager;
     import javax.net.ssl.X509TrustManager;


       public class MySSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");


public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    super(truststore);

    X509TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    sslContext.init(null, new TrustManager[]{tm}, null);
}

@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
    return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}

@Override
public Socket createSocket() throws IOException {
    return sslContext.getSocketFactory().createSocket();
}

/**
 * Makes HttpsURLConnection trusts a set of certificates specified by the KeyStore
 */
public void fixHttpsURLConnection() {
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
}

/**
 * Gets a KeyStore containing the Certificate
 *
 * @param cert InputStream of the Certificate
 * @return KeyStore
 */
public static KeyStore getKeystoreOfCA(InputStream cert) {

    // Load CAs from an InputStream
    InputStream caInput = null;
    Certificate ca = null;
    try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        caInput = new BufferedInputStream(cert);
        ca = cf.generateCertificate(caInput);
    } catch (CertificateException e1) {
        e1.printStackTrace();
    } finally {
        try {
            if (caInput != null) {
                caInput.close();
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    // Create a KeyStore containing our trusted CAs
    String keyStoreType = KeyStore.getDefaultType();
    KeyStore keyStore = null;
    try {
        keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);
    } catch (Exception e) {
        e.printStackTrace();
    }
    return keyStore;
}

/**
 * Gets a Default KeyStore
 *
 * @return KeyStore
 */
public static KeyStore getKeystore() {
    KeyStore trustStore = null;
    try {
        trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null, null);
    } catch (Throwable t) {
        t.printStackTrace();
    }
    return trustStore;
}

/**
 * Returns a SSlSocketFactory which trusts all certificates
 *
 * @return SSLSocketFactory
 */
public static SSLSocketFactory getFixedSocketFactory() {
    SSLSocketFactory socketFactory;
    try {
        socketFactory = new MySSLSocketFactory(getKeystore());
        socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    } catch (Throwable t) {
        t.printStackTrace();
        socketFactory = SSLSocketFactory.getSocketFactory();
    }
    return socketFactory;
}

/**
 * Gets a DefaultHttpClient which trusts a set of certificates specified by the KeyStore
 *
 * @param keyStore custom provided KeyStore instance
 * @return DefaultHttpClient
 */
public static DefaultHttpClient getNewHttpClient(KeyStore keyStore) {

    try {
        SSLSocketFactory sf = new MySSLSocketFactory(keyStore);
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        registry.register(new Scheme("https", sf, 443));

        HttpParams params = new BasicHttpParams();
        HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
        HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);

        ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);

        return new DefaultHttpClient(ccm, params);
    } catch (Exception e) {
        return new DefaultHttpClient();
    }
}

}