上架 Google Play 遇到 Ssl error handler 问题

如题，提交应用的时候，google 给回了一封邮件：大致内容如下：

Hello Google Play Developer,

We reviewed xxx, with package name xxxx, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.

SSL Error Handler For more information on how to address WebView SSL Error Handler alerts, please see this Google Help Center article.

我按照Google Help Center article 这个地址处理了我 onReceivedSslError 方法，跟服务器要了 https 证书的 sha256 指纹，然后比对错误证书的指纹是否和服务器的指纹一直，如果一直才去sslErrorHandler.proceed() 否则 sslErrorHandler.cancel()。

提交之后，还是收到邮件反馈说是 ssl error handler，我也试了这里的方法stackoverflow 当出现错误的时候，弹出对话框询问用户是否继续访问，让用户决定，但是也没有用。

不知道 v 站的各位大佬有没有遇到这种情况。

Jirajine

2021-04-22 10:50:57 +08:00

Applications are advised not to prompt the user about SSL errors, as the user is unlikely to be able to make an informed security decision and WebView does not provide any UI for showing the details of the error in a meaningful way.

Application overrides of this method may display custom error pages or silently log issues, but it is strongly recommended to always call SslErrorHandler#cancel and never allow proceeding past errors.

没有强制要求 ssl pinning，验证服务器证书不是必要的。这个要求的本意是避免证书错误时仍然连接导致数据被窃取，而不是防止用户主动加证书抓包。

所以按他的要求只要收到错误直接取消就完事了，顺便打个 log 和 toast，弹窗询问应该也是允许的。