Yogi Yogi - 3 months ago 18
Android Question

I am using Live sdk for uploading files to One drive and received a Alert from google :

Vulnerable classes:

Google Play Warning: SSL Error Handler Vulnerability


com.microsoft.live.AuthorizationRequest$OAuthDialog$AuthorizationWebViewClient


However, I have checked my code and i am not using any of the web view and also i don't have any method as

@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed();
}


I don't know how to handle this. Could anyone help me ?

Answer

I have searched and found answer for my own question: In old Onedrive Sdk the library internally was making call to WebViewClient for authorization and in that case they have added the code

@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler,     SslError error) {
    handler.proceed();
}

As per googles recommendations you should not proceed it directly. user should notify with security exception. In OneDrive updated SDK they have removed the nu-necessary implementation of onReceivedSslError. That Solved the problem of uploading APK on Google Play Store. If you are using any third party tool or library that implements this call you should update the call with:

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
 builder.setMessage(R.string.notification_error_ssl_cert_invalid);
  builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
   @Override
   public void onClick(DialogInterface dialog, int which) {
       handler.proceed();
   }
 });
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
   @Override
   public void onClick(DialogInterface dialog, int which) {
       handler.cancel();
   }
  });
  final AlertDialog dialog = builder.create();
 dialog.show();
}

or either you can remove if you don't require.