24

In one of my apps I'm using HTTPS with a self-signed certificate and followed the sample code from the android developer training site (https://developer.android.com/training/articles/security-ssl.html#UnknownCa).

I recently got the following alert saying that the current implementation is not secured:

Security alert

Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Can someone provide more details on what should be updated beyond the sample code linked above?

Should I implement a custom TrustManager? If so, what should it verify?

4

4 回答 4

15

尝试在您的代码中搜索“TrustManager”,如果没有找到,大多数情况是因为包含第三方库。

对我来说,这是因为使用了旧版本的 ACRA(https://github.com/ACRA/acra)。

于 2016-02-19T02:57:35.197 回答
4

对我来说,问题是 Mobilecore。我已经从应用程序中删除了库并上传了新版本的 apk,并且警告从 GPlay 开发控制台中消失了。

于 2016-02-19T10:50:39.640 回答
3

可能会迟到,但希望它可以帮助某人,在请求服务器之前调用此方法。如果证书不信任,你有实现对话框或其他用户可以决定的东西,这里我使用警报对话框。

public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){
        try {
            HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });

            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, new X509TrustManager[]{new X509TrustManager() {
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }

                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                    try {
                        chain[0].checkValidity();
                    } catch (final Exception e) {

                        mActivity.runOnUiThread(new Runnable() {
                            @Override
                            public void run() {
                                AlertDialog.Builder builder = new AlertDialog.Builder(mActivity);
                                AlertDialog alertDialog = builder.create();
                                alertDialog.setCancelable(false);
                                String message = "There a problem with the security certificate for this web site.";
                                message += "\nDo you want to continue anyway?";
                                alertDialog.setTitle("SSL Certificate Error");
                                alertDialog.setMessage(message);
                                alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
                                    @Override
                                    public void onClick(DialogInterface dialog, int which) {
                                        acceptSSL = true;
                                        return;

                                    }
                                });

                                alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
                                    @Override
                                    public void onClick(DialogInterface dialog, int which) {
                                        acceptSSL = true;
                                        task.onInterruptedDownload();
                                    }
                                });
                                alertDialog.show();

                            }

                        });

                        while( !acceptSSL){
                            try{
                                Thread.sleep(1000);
                            } catch( InterruptedException er) { }
                        }

                    }
                }
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            }}, new SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
        } catch (Exception e) { // should never happen
            e.printStackTrace();
        }
    }

于 2016-05-12T11:29:59.233 回答
1

我还发现 ARCA 4.3 似乎可能是我的应用程序的罪魁祸首。

问题,有谁知道验证问题是否已解决?目前,我有权访问的 Play 商店并未导致 Google 向我发出警告,但我们发布该应用程序的合作伙伴之一已收到警告。在向我们的合作伙伴提供新的 APK 之前,我想验证问题是否已解决。

于 2016-02-19T16:44:28.207 回答