您的应用程序正在使用HostnameVerifier的不安全实现.有关修复和截止日期的详细信息,请参阅Google Play Help Center文章的链接.
以下是我的代码.
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){
public boolean verify(String arg0,SSLSession arg1) {
return true;
}});
任何人都可以通过示例来解释,我应该做些什么更改来修复此警告?
解决方法
Your app is using an unsafe implementation of HostnameVerifier. Please
see this Google Help Center article for details,including the
deadline for fixing the vulnerability. Im not using HostnameVerifier
and not calling setDefaultHostnameVerifier. Moreover – Im using OKHTTP
lib for http-requests. I hope that defining TrustManager will solve
this issue.
由于我不是子类化HostnameVerifier或调用setDefaultHostnameVerifier(),我认为它依赖于某些第三方库.由于我无法检测到这样的lib,我想我会尝试添加一个包含以下代码的类
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(final String hostname,final SSLSession session) {
if (/* check if SSL is really valid */)
return true;
else
return false;
}
});
到我的项目,将看看它是否解决了这个问题.
所以我做了它,除了每个webView我都添加了重写方法
@Override
public void onReceivedSslError(WebView view,final SslErrorHandler handler,SslError error) {
// the main thing is to show dialog informing user
// that SSL cert is invalid and prompt him to continue without
// protection: handler.proceed();
// or cancel: handler.cancel();
String message;
switch(error.getPrimaryError()) {
case SslError.SSL_DATE_INVALID:
message = ResHelper.getString(R.string.ssl_cert_error_date_invalid);
break;
case SslError.SSL_EXPIRED:
message = ResHelper.getString(R.string.ssl_cert_error_expired);
break;
case SslError.SSL_IDMISMATCH:
message = ResHelper.getString(R.string.ssl_cert_error_idmismatch);
break;
case SslError.SSL_INVALID:
message = ResHelper.getString(R.string.ssl_cert_error_invalid);
break;
case SslError.SSL_NOTYETVALID:
message = ResHelper.getString(R.string.ssl_cert_error_not_yet_valid);
break;
case SslError.SSL_UNTRUSTED:
message = ResHelper.getString(R.string.ssl_cert_error_untrusted);
break;
default:
message = ResHelper.getString(R.string.ssl_cert_error_cert_invalid);
}
mSSLConnectionDialog = new MaterialDialog.Builder(getParentActivity())
.title(R.string.ssl_cert_error_title)
.content(message)
.positiveText(R.string.continue_button)
.negativeText(R.string.cancel_button)
.titleColorRes(R.color.black)
.positiveColorRes(R.color.main_red)
.contentColorRes(R.color.comment_grey)
.backgroundColorRes(R.color.sides_menu_gray)
.onPositive(new MaterialDialog.SingleButtonCallback() {
@Override
public void onClick(MaterialDialog materialDialog,DialogAction dialogAction) {
mSSLConnectionDialog.dismiss();
handler.proceed();
}
})
.onNegative(new MaterialDialog.SingleButtonCallback() {
@Override
public void onClick(MaterialDialog materialDialog,DialogAction dialogAction) {
handler.cancel();
}
})
.build();
mSSLConnectionDialog.show();
}
到了
mWebView.setWebViewClient(new WebViewClient() {
... // other corresponding overridden methods
}
最后谷歌说:
Security SCAN COMPLETE
No kNown vulnerabilities were detected for APK 158.
但是我不确定mWebView.setWebViewClient的代码是什么,HostNameVerifier或onReceivedSslError().注意:HostNameVerifier.setDefaultHostnameVerifier()不应该像在代码中一样返回true!它必须实现一些逻辑来检查它是否都可以使用SSL并返回true或false.这很重要.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
