2

我收到了来自 Google 的这条消息。我们没有使用任何 TrustManager 等。我们使用的是 okhttp 和 google 发布者,我不知道如何检测到这个安全漏洞。

在此处输入图像描述

我们发现您的应用存在安全漏洞,可能会暴露用户信息或损坏用户设备。这违反了设备和网络滥用政策。具体来说,您的应用程序容易受到 TrustManager 的攻击。要解决此问题,请按照此 Google 帮助中心文章中的步骤操作。

受影响的版本:APK:21

dependencies {
    implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
    implementation "androidx.multidex:multidex:2.0.1"
    implementation 'com.google.android.material:material:1.2.1'

    implementation 'com.google.firebase:firebase-messaging:21.0.1'

    implementation 'com.facebook.android:facebook-android-sdk:8.2.0'

    implementation 'com.github.chrisbanes:PhotoView:2.1.3'
    implementation 'org.jsoup:jsoup:1.13.1'
    implementation 'com.android.billingclient:billing:3.0.2'
    annotationProcessor 'com.jakewharton:butterknife-compiler:10.2.3'
    implementation 'com.jakewharton:butterknife:10.2.3'

    implementation 'io.reactivex.rxjava3:rxjava:3.0.8'

    implementation 'com.google.code.gson:gson:2.8.6'

    implementation 'com.varunjohn1990.libraries:WhatsappMessengerView:2.1.0'

    implementation 'com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0'
    implementation 'com.google.auth:google-auth-library-oauth2-http:0.22.2'

    implementation 'com.github.drawers:SpinnerDatePicker:2.0.1'
    implementation 'com.elyeproj.libraries:loaderviewlibrary:2.0.0'
    implementation 'link.fls:swipestack:0.3.0'

    implementation 'jp.wasabeef:picasso-transformations:2.4.0'
    // If you want to use the GPU Filters
    implementation 'jp.co.cyberagent.android:gpuimage:2.1.0'

    implementation 'com.squareup.picasso:picasso:2.71828'

    implementation 'com.github.HamidrezaAmz:AndroidImageSlider:v1.0.8'
    implementation 'com.eightbitlab:blurview:1.6.3'

    implementation 'pl.bclogic:pulsator4droid:1.0.3'

    implementation 'com.google.android.play:core:1.9.0'

    implementation project(':bottomnavbar')
    implementation project(':segmentcontrol')
    implementation project(':scrool')
}

\build.gradle: 错误:commons-logging 定义的类与 Android 现在提供的类冲突。解决方案包括查找没有相同问题的较新版本或替代库(例如,对于 httpclient,请改用 HttpUrlConnection 或 okhttp),或使用 jarjar 之类的东西重新打包库。[重复的 catePlatformClasses]

\build.gradle:错误:httpclient 定义的类与 Android 现在提供的类冲突。解决方案包括查找没有相同问题的较新版本或替代库(例如,对于 httpclient,请改用 HttpUrlConnection 或 okhttp),或使用 jarjar 之类的东西重新打包库。[DuplicateP latformClasses]

这修复了这些错误:

implementation ('com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0')  {
    exclude group: 'org.apache.httpcomponents'
}

implementation ('com.google.auth:google-auth-library-oauth2-http:0.22.2')  {
    exclude group: 'org.apache.httpcomponents'
}

    OkHttpService service = new OkHttpService();
    SubscriptionPurchase purchase = new AndroidPublisher.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), 
            new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
            createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
            build().purchases().subscriptions().
            get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();


<issue
    id="TrustAllX509TrustManager"
    severity="Warning"
    message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers"
    category="Security"
    priority="6"
    summary="Insecure TLS/SSL trust manager"
    explanation="This check looks for X509TrustManager implementations whose `checkServerTrusted` or `checkClientTrusted` methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.">
    <location
        file="Project\com\google\api\client\util\SslUtils$1.class"/>
</issue>
4

0 回答 0