android-security - w3toppers.com

android Google Play Warning: SSL Error Handler Vulnerability

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning. @Override public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) … Read more

Your app contains an Intent Redirection vulnerability

I was having the same issue “intent redirection your app(s) are vulnerable to intent redirection” and I added exported=”false” in every activity, but still got rejected, then I realized the problem was in one of the payment libraries I was using, all I had to do is update the library and the new app update … Read more

Google Play security alert for insecure TrustManager

Try to search for “TrustManager” in your codes, if none is to be found, most of the cases it is because of third party libraries included. For me it was because of using an older version of ACRA (https://github.com/ACRA/acra).

What is AAPT (Android Asset Packaging Tool) and how does it work?

AAPT allows you to view, create, and update ZIP-compatible archives (ZIP, JAR, and APK). It can also compile resources into binary assets. It is the base builder for Android applications. Of course you can ship .so files from an application, but if you want to use it, you will need reverse engineering plugins and these … Read more

How to fix unsafe implementation of X509TrustManager in Android app

I have solved this using the following code: public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { chain[0].checkValidity(); } catch (Exception e) { throw new CertificateException(“Certificate not valid or trusted.”); } }

Android: Removing OpenCV older version will resolve Libpng Vulnerability warning?

The vulnerable version of libpng in OpenCV 2.4.x was updated in OpenCV 2.4.13.1. It can be downloaded from here. As @Simon says, OpenCV 3.x is not affected. More info: #6694 OpenCV 2.x uses vulnerable version of libpng

Google Play Security Alert – Your app is using an unsafe implementation of the HostnameVerifier

Same here – Insecure Hostname Verifier Detected in APK Your app is using an unsafe implementation of HostnameVerifier. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability. Im not using HostnameVerifier and not calling setDefaultHostnameVerifier. Moreover – Im using OKHTTP lib for http-requests. I hope that defining TrustManager … Read more

How to determine which dependency causes Google Play OpenSSL warning?

Is there any option to pinpoint actual dependency from there? Yes, but you need to know the offending OpenSSL version and you need grep. Windows find won’t do. First, take note of the offending OpenSSL version. For sake of argument, say its due to OpenSSL 1.0.1h. Next, gather a list of your dependencies and their … Read more

WebView: how to avoid security alert from Google Play upon implementation of onReceivedSslError

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. As email said, onReceivedSslError should handle user is going to a page with invalid cert, such like a notify dialog. You should not proceed it directly. For example, I … Read more

Webview avoid security alert from google play upon implementation of onReceivedSslError

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. As email said, onReceivedSslError should handle user is going to a page with invalid cert, such like a notify dialog. You should not proceed it directly. For example, I … Read more