Google Play Store Security Alert

Discussion in 'General Discussion' started by rs91, Dec 11, 2015.

  1. rs91

    rs91 New Member

    Joined:
    Dec 9, 2015
    Messages:
    8
    Likes Received:
    0
    488489456156.png

    What can I do



    in spanish

    Alerta de seguridad

    Tu aplicación incluye una implementación no segura del controlador WebViewClient.onReceivedSslError. En concreto, la implementación ignora todos los errores de validación de certificados SSL, por lo que tu aplicación será vulnerable a los ataques "man-in-the-middle". Un atacante podría modificar el contenido de la vista WebView afectada, leer los datos que se hayan transmitido (como las credenciales de inicio de sesión) y ejecutar código en la aplicación con JavaScript.

    Para procesar correctamente la validación de certificados SSL, cambia el código para ejecutar SslErrorHandler.proceed() cada vez que el certificado presentado por el servidor cumpla tus expectativas. En caso contrario, ejecuta SslErrorHandler.cancel(). Se ha enviado una alerta por correo electrónico con las clases y las aplicaciones afectadas a la dirección de tu cuenta de desarrollador.

    Para obtener más información sobre el controlador de errores SSL, consulta la documentación disponible en el Centro de Ayuda para Desarrolladores. Si tienes más preguntas de tipo técnico, publica una entrada en https://www.stackoverflow.com/questions y utiliza las etiquetas "android-security" y "SslErrorHandler".

    Para confirmar que has realizado correctamente la actualización, sube la versión actualizada a la consola de desarrollo y vuelve a realizar la comprobación transcurridas cinco horas. Si la aplicación no se ha actualizado correctamente, se mostrará una advertencia.

    Ten en cuenta que, aunque es posible que estos problemas específicos no afecten a todas las aplicaciones que utilizan SSL de WebView, es preferible estar al día de todos los parches de seguridad. Las aplicaciones en las que existen vulnerabilidades que suponen un riesgo para la seguridad de los usuarios se pueden considerar productos peligrosos que infringen la Política de Contenidos y la sección 4.4 del Acuerdo de Distribución para Desarrolladores.

    Comprueba que todas las aplicaciones publicadas cumplen el Acuerdo de Distribución para Desarrolladores y la Política de Contenidos. Si tienes alguna duda o quieres hacernos una pregunta, ponte en contacto con nuestro equipo de asistencia a través del Centro de Ayuda para Desarrolladores de Google Play.
    Ir a la página del archivo APK
     
    #1
  2. DarShaN PanDya

    DarShaN PanDya Active Member

    Joined:
    Dec 11, 2015
    Messages:
    580
    Likes Received:
    104
    English plzz!!
     
    #2
  3. rs91

    rs91 New Member

    Joined:
    Dec 9, 2015
    Messages:
    8
    Likes Received:
    0
    look at the image
     
    #3
  4. joseph raphael

    joseph raphael Well-Known Member

    Joined:
    Feb 3, 2015
    Messages:
    776
    Likes Received:
    312
    Try using https:// in your WEB module
     
    #4
  5. max-de-bons-plans

    Joined:
    Feb 19, 2015
    Messages:
    33
    Likes Received:
    6
    Got the same alert ... it says the appyet app is vulnerable to man-in-the-middle attack.
    Mr. Appyet : Could you kindly take into account this alert to avoid all appyet apps being discarded from the store ?


    Alerte de sécurité

    Votre application présente une mise en œuvre non sécurisée du gestionnaire WebViewClient.onReceivedSslError. Plus précisément, toutes les erreurs de validation du certificat SSL sont ignorées, ce qui rend l'application vulnérable en cas d'attaques dites "de l'homme du milieu". Un pirate informatique pourrait modifier le contenu WebView affecté, lire les données transmises (telles que les identifiants de connexion) et exécuter du code au sein de l'application à l'aide de JavaScript.

    Pour traiter correctement la validation des certificats SSL, modifiez votre code de sorte à invoquer SslErrorHandler.proceed() dans les cas où le certificat présenté par le serveur correspond à vos critères, et à invoquer SslErrorHandler.cancel() dans les autres cas. Une alerte indiquant les classes et les applications concernées a été envoyée à l'adresse e-mail de votre compte de développeur.

    Pour en savoir plus sur le gestionnaire d'erreurs SSL, veuillez consulter notre documentation dans le Centre d'aide pour les développeurs. Si vous avez d'autres questions techniques, publiez un message sur le site https://www.stackoverflow.com/questions en utilisant les tags "android-security" et "SslErrorHandler".

    Pour confirmer que vous avez correctement effectué la mise à jour, importez la nouvelle version dans la console développeur et vérifiez dans cinq heures. Un avertissement est affiché si l'application n'a pas été mise à jour correctement.

    Sachez que même si ces problèmes spécifiques n'affectent pas nécessairement toutes les applications qui utilisent le SSL WebView, nous vous recommandons de vous tenir informé des correctifs de sécurité. Les applications qui présentent des failles risquant de compromettre la sécurité des utilisateurs peuvent être considérées comme des produits dangereux qui ne respectent pas le règlement relatif au contenu ni la section 4.4 du contrat relatif à la distribution (pour les développeurs).

    Veuillez vous assurer que toutes les applications publiées sont conformes au Contrat relatif à la distribution (pour les développeurs) et au Règlement relatif au contenu. Si vous avez des questions ou des doutes, contactez notre équipe d'assistance via le Centre d'aide pour les développeurs Google Play.

    Accéder à la page du fichier APK
     
    #5
  6. Oscar P

    Oscar P New Member

    Joined:
    Jul 9, 2015
    Messages:
    16
    Likes Received:
    0
    I use "https" in all web modules and I too recived the alert in all my apps...
     
    #6
  7. joseph raphael

    joseph raphael Well-Known Member

    Joined:
    Feb 3, 2015
    Messages:
    776
    Likes Received:
    312
    @appyet this needs a hotfix ASAP
     
    #7
    Oscar P and rs91 like this.
  8. Oscar P

    Oscar P New Member

    Joined:
    Jul 9, 2015
    Messages:
    16
    Likes Received:
    0
    @appyet this is important, have you a fix for this problem?
     
    #8
  9. namoneo

    namoneo New Member

    Joined:
    Feb 8, 2015
    Messages:
    5
    Likes Received:
    0
    @appyet I even don't use web module at all. But anyway I've got this warning as well. I assume everyone has received this warning. The issue needs to be fixed in short terms otherwise the apps will be banned. @appyet please follow up!
     
    #9
  10. joseph raphael

    joseph raphael Well-Known Member

    Joined:
    Feb 3, 2015
    Messages:
    776
    Likes Received:
    312
    I submitted a request to them and it will be fixed don't worry, it affects all AppYet not just you.
     
    #10
    namoneo likes this.
  11. Abdullah Alhilali

    Abdullah Alhilali New Member

    Joined:
    Jul 5, 2015
    Messages:
    5
    Likes Received:
    0
    Hi AppYet team!
    i would like to inform you that " i got same warning message " and this is in english

    Hello Google Play Developer,

    Your app(s) listed at the end of this email have an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.

    Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise. If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.

    For more information about the SSL error handler, please see our documentation in the Android Developers Help Center. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “SslErrorHandler.”

    To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been upgraded correctly, we will display a warning.

    While these specific issues may not affect every app that uses WebView SSL, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered Dangerous Products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

    Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

    Regards,

    The Google Play Team

    ©2015 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

    Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.


    Affected app(s), version(s), and class(es):

    com.******.********
    33
    com.appyet.activity.WebBrowserActivity$b;com.appyet.activity.DisqusCommentActivity$b;
     
    #11
  12. Abdoel

    Abdoel Member

    Joined:
    Apr 4, 2015
    Messages:
    41
    Likes Received:
    7
    i have same problem too, please fix it soon
     
    #12
  13. edo

    edo Member

    Joined:
    Oct 5, 2015
    Messages:
    33
    Likes Received:
    3
    Hi,
    I want Appyet feature like this: user must input user name and password, or register the user name, password and mobile phone, then can login. Is that possible in easy way ?

    Regards.
     
    #13
  14. Alessandro G.

    Alessandro G. Member

    Joined:
    Apr 22, 2015
    Messages:
    52
    Likes Received:
    2
    ANY NEWS?!??
     
    #14
  15. joseph raphael

    joseph raphael Well-Known Member

    Joined:
    Feb 3, 2015
    Messages:
    776
    Likes Received:
    312
    not yet will keep you all updated
     
    #15
  16. max-de-bons-plans

    Joined:
    Feb 19, 2015
    Messages:
    33
    Likes Received:
    6
    One month later ... up !
     
    #16
  17. Oscar P

    Oscar P New Member

    Joined:
    Jul 9, 2015
    Messages:
    16
    Likes Received:
    0
    GPlay continues warning me on my apps with this error... I not want to lose these apps... When a fix?
     
    #17
  18. DarShaN PanDya

    DarShaN PanDya Active Member

    Joined:
    Dec 11, 2015
    Messages:
    580
    Likes Received:
    104
    @oscar
    No Idea at Present! :(
     
    #18
  19. David S

    David S New Member

    Joined:
    May 11, 2015
    Messages:
    7
    Likes Received:
    0
    I've got the same issue, would really like to see an update from @appyet team. Please help!
     
    #19
  20. John89

    John89 New Member

    Joined:
    Feb 10, 2016
    Messages:
    29
    Likes Received:
    6
    I`ve got same issue. News?
     
    #20

Share This Page