Peter Nied Peter Nied - 2 months ago 35
Android Question

Google Play Warning: SSL Error Handler Vulnerability have a False Positive for WebViewClient.onReceivedSslErrorHandler SSL

I am contributor for a shared library project that just received notice one of our customers received this warning from the Google Play Store,


Hello Google Play Developer, In July, the app submissions listed at
the end of this email were rejected due to an unsafe implementation of
the WebViewClient.onReceivedSslErrorHandler. This implementation
ignores all SSL certificate validation errors, making your app
vulnerable to man-in-the-middle attacks. An attacker could change the
affected WebView's content, read transmitted data (such as login
credentials), and execute code inside the app using JavaScript.


When looking into our AuthorizationWebViewClient which extends WebViewClient, we do not implement onReceivedSslErrorHandler, meaning we fall under the default implementation putting this library in the clear.

Can we get confirmation if this is a false positive or if there are changes that have to be made to this library?

UPDATE:
This was due to the version of the SDK used being much older when this vulnerability was present, the current codebase does not have this issue hence the disconnect.

Answer

I'm not sure what the specific app in question is, but there are apps which have a vulnerable com.microsoft.services.msa.AuthorizationRequest$OAuthDialog$AuthorizationWebViewClient.

For example, com.jrsys.filemanager. Disassembling the code shows that it does in fact have an onReceivedSslErrorHandler implementation.

.method public onReceivedSslError(Landroid/webkit/WebView;Landroid/webkit/SslErrorHandler;Landroid/net/http/SslError;)V
    .registers 4
    .param p1, "view"    # Landroid/webkit/WebView;
    .param p2, "handler"    # Landroid/webkit/SslErrorHandler;
    .param p3, "error"    # Landroid/net/http/SslError;

    .prologue
    .line 143
    invoke-virtual {p2}, Landroid/webkit/SslErrorHandler;->proceed()V

    .line 144
    return-void
.end method