引用谷歌市場的幫助說明:https://support.google.com/faqs/answer/6346016
本文面向的是發布的應用中 X509TrustManager 接口實施方式不安全的開發者。具體而言,該問題是指在與遠程主機建立 HTTPS 連接時實施方式會忽略所有 SSL 證書驗證錯誤,從而使您的應用容易受到中間人攻擊。攻擊者可能會讀取傳輸的數據(例如登錄憑據),甚至更改通過 HTTPS 連接傳輸的數據。要查看受影響應用的完整列表,請訪問開發者控制台。
為了正確處理 SSL 證書驗證,請更改您的自定義 X509TrustManager 接口的 checkServerTrusted 方法中的代碼,指定在服務器提供的證書不符合您的預期時生成 CertificateException 或 IllegalArgumentException 錯誤。如有技術問題,您可以在 Stack Overflow 上發帖咨詢(使用“android-security”和“TrustManager”標簽)。
請盡快解決此問題並增加升級版 APK 的版本號。從 2016 年 5 月 17 日起,Google Play 將禁止發布 X509TrustManager 接口實施方式不安全的任何新應用或應用更新。
要確認您所做的更改是否正確,請將更新后的應用版本提交至開發者控制台,並在 5 小時后回來查看。如果應用並未正確升級,系統將會顯示警告。
盡管這些具體問題可能不會影響每個實施 TrustManager 接口的應用,但您最好不要忽略任何 SSL 證書驗證錯誤。如果應用包含會讓用戶面臨入侵風險的安全漏洞,那么我們可能會將其視為危險產品,因其違反了內容政策和開發者分發協議第 4.4 條的相關規定。
***********************************************************************************
全文搜索X509TrustManager,結果發現在 proguard 文件夾下的 dump.txt 文件中出現了
1、
_____________________________________________________________________
+ Program class: com/baidu/b/a/f
Superclass: java/lang/Object
Major version: 0x32
Minor version: 0x0
Access flags: 0x20
= class com.baidu.b.a.f extends java.lang.Object
Interfaces (count = 1):
+ Class [javax/net/ssl/X509TrustManager]
Constant Pool (count = 34):
+ Class [com/baidu/b/a/d]
+ Class [com/baidu/b/a/d$b]
+ Class [com/baidu/b/a/f]
+ Class [java/lang/Object]
+ Class [java/security/cert/CertificateException]
+ Class [javax/net/ssl/X509TrustManager]
解決方法:更新百度地圖的 Sdk
參考:http://developer.baidu.com/announcement/394
2、
_____________________________________________________________________
+ Program class: com/loopj/android/http/MySSLSocketFactory$1
Superclass: java/lang/Object
Major version: 0x32
Minor version: 0x0
Access flags: 0x20
= class com.loopj.android.http.MySSLSocketFactory$1 extends java.lang.Object
Interfaces (count = 1):
+ Class [javax/net/ssl/X509TrustManager]
Constant Pool (count = 41):
+ Class [com/loopj/android/http/MySSLSocketFactory]
+ Class [com/loopj/android/http/MySSLSocketFactory$1]
+ Class [java/lang/Object]
+ Class [java/security/cert/CertificateException]
+ Class [javax/net/ssl/X509TrustManager]
解決方法:
AsyncHttpClient
3 新浪微博
1 public static class MySSLSocketFactory extends SSLSocketFactory { 2 SSLContext sslContext = SSLContext.getInstance("TLS"); 3 4 public MySSLSocketFactory(KeyStore truststore) 5 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { 6 super(truststore); 7 8 TrustManager tm = new X509TrustManager() { 9 public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { 10 } 11 12 public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { 13 try { 14 chain[0].checkValidity(); 15 } catch (Exception e) { 16 throw new CertificateException("Certificate not valid or trusted."); 17 } 18 } 19 20 public X509Certificate[] getAcceptedIssuers() { 21 return null; 22 } 23 }; 24 25 sslContext.init(null, new TrustManager[] { tm }, null); 26 } 27 28 @Override 29 public Socket createSocket(Socket socket, String host, int port, boolean autoClose) 30 throws IOException, UnknownHostException { 31 return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose); 32 } 33 34 @Override 35 public Socket createSocket() throws IOException { 36 return sslContext.getSocketFactory().createSocket(); 37 } 38 }
解決方法:
checkServerTrusted 添加檢查證書有效性(加粗部分)