我收到了来自 Google 的通知: 安全警报
您的应用正在使用不安全的 HostnameVerifier 实现。请参阅此 Google 帮助中心文章了解详细信息,包括修复漏洞的截止日期。
有人收到此警报吗?如果有,您是如何解决的?
我的 HostnameVeriefier 类如下:
public class NullHostNameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
Log.i("UtilImpl", "Approving certificate for " + hostname);
return true;
}
}
请帮我找出这段代码有什么问题?以及如何解决?
【问题讨论】:
标签: android https warnings android-security
如果您知道它不会损害您用户的数据隐私并且只想绕过此检查,请尝试类似
public class NullHostNameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return Build.VERSION.SDK_INT >= Build.VERSION_CODES.BASE_1_1;
}
}
想法是让verify明显不返回true,所以自动检查将无法检测到它
【讨论】:
问题在于您的 NullHostNameVerifier 有效地删除了连接的所有安全性。您应该删除它并使用默认值。
【讨论】:
you should not bypass the check, its an invitation for hacker...
As per the mail received from Google, their can be Two possibilities for this issue:
Primarily you have to check your package name is not using any keywords restricted by Google. For example "com.companyname.**android**", .android is not allowed.
then Secondary is check for HostNameVerifier
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(final String hostname, final SSLSession session) {
if (/* check if SSL is really valid */)
return true;
else
return false;
}
});
【讨论】: