This article is intended for developers with app(s) using an unsafe implementation of the WebViewClient.onReceivedSslError handler.
What’s happening
One or more of your apps contain an unsafe implementation of the onReceivedSslError handler, which makes the app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript. Vulnerable locations in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.
After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
- To correct the issue, please update your apps code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. Please have the following points in mind while checking the validity of the certificate:
-
An app may be flagged if it does not contain sufficient checks for certificate validity; for instance, just checking the return value of getPrimaryError is not sufficient to establish the validity of the certificate.
-
It is not safe to ignore most SSL errors returned by SslError.getPrimaryError. Please note that getPrimaryError returns the most severe error in a set of errors, so if
getPrimaryError() != SSL_UNTRUSTED
is true, the connection may still contain an SSL_UNTRUSTED error in the set of errors.
-
-
If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
For more information about the SSL error handler, please see our documentation in the Android Developers Help Center. For other technical questions, you can post to https://www.stackoverflow.com/questions and use the tags “android-security” and “SslErrorHandler.”
While these specific issues may not affect every app that uses WebView SSL, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.