playstore漏洞hostnameverifier接口的不安全实现

ppcbkaq5  于 2021-06-30  发布在  Java
关注(0)|答案(1)|浏览(637)

我知道这是个老主题。但我已经尝试了大多数答案中的所有解决方案。我已经上传了10次应用程序在2天内,并不断从谷歌播放支持相同的通知。

当我收到来自google的通知时,我使用的是okhttp3的内置主机名验证器。但在多次失败之后,我更新了所有依赖项,并添加了主机名验证程序。更新仍然被拒绝。这是我的apiclient类。

public class APIClient {

private static Retrofit retrofit = null;

public static ApiInterface getAPIClient() {
    if (retrofit == null) {
        retrofit = new Retrofit
                .Builder()
                .baseUrl(BuildConfig.BASE_URL)
                .client(getHttpClient())
                .addCallAdapterFactory(RxJava2CallAdapterFactory.create())
                .addConverterFactory(GsonConverterFactory.create())
                .build();
    }
    return retrofit.create(ApiInterface.class);
}

private static OkHttpClient getHttpClient() {

    HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
    interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
    OkHttpClient.Builder okHttpClientBuilder = new OkHttpClient.Builder();
    okHttpClientBuilder.cache(new Cache(MvpApplication.getInstance().getCacheDir(), 10 * 1024 * 1024)) // 10 MB
            .connectTimeout(10, TimeUnit.MINUTES)
            .addNetworkInterceptor(new AddHeaderInterceptor())
            .addNetworkInterceptor(new StethoInterceptor())
            .readTimeout(10, TimeUnit.MINUTES)
            .writeTimeout(10, TimeUnit.MINUTES)
            .addInterceptor(interceptor);

    okHttpClientBuilder.hostnameVerifier((hostname, session) -> {

        Certificate[] certs;
        try {
            certs = session.getPeerCertificates();
        } catch (SSLException e) {
            return false;
        }
        X509Certificate x509 = (X509Certificate) certs[0];
        // We can be case-insensitive when comparing the host we used to
        // establish the socket to the hostname in the certificate.
        String hostName = hostname.trim().toLowerCase(Locale.ENGLISH);
        // Verify the first CN provided. Other CNs are ignored. Firefox, wget,
        // curl, and Sun Java work this way.
        String firstCn = getFirstCn(x509);
        System.out.println(TAG + ": firstCn: "+firstCn);
        if (matches(hostName, firstCn)) {
            return true;
        }
        for (String cn : getDNSSubjectAlts(x509)) {
            if (matches(hostName, cn)) {
                return true;
            }
        }
        return false;

    });

    return okHttpClientBuilder.build();

}

private static String getFirstCn(X509Certificate cert) {
    String subjectPrincipal = cert.getSubjectX500Principal().toString();
    for (String token : subjectPrincipal.split(",")) {
        int x = token.indexOf("CN=");
        if (x >= 0) {
            return token.substring(x + 3);
        }
    }
    return null;
}

private static class AddHeaderInterceptor implements Interceptor {
    @Override
    public Response intercept(@NonNull Chain chain) throws IOException {
        Request.Builder builder = chain.request().newBuilder();
        builder.addHeader("X-Requested-With", "XMLHttpRequest");
        builder.addHeader("Authorization",
                SharedHelper.getKey(MvpApplication.getInstance(), "access_token"));
        Log.d("TTT access_token", SharedHelper.getKey(MvpApplication.getInstance(), "access_token"));
        return chain.proceed(builder.build());
    }
}

有人能建议我在游戏商店发布一个版本之前检查可能的漏洞,或者绕过这个问题吗?
以下是项目中hostnameverifier的实现。

我在发射前的报告中得到了17次警告。其中一些是由于okhttp。这是一个警告。

StrictMode policy violation: android.os.strictmode.NonSdkApiUsedViolation: Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V
at android.os.StrictMode.lambda$static$1(StrictMode.java:428)
at android.os.-$$Lambda$StrictMode$lu9ekkHJ2HMz0jd3F8K8MnhenxQ.accept(Unknown Source:2)
at java.lang.Class.getDeclaredMethodInternal(Native Method)
at java.lang.Class.getPublicMethodRecursive(Class.java:2075)
at java.lang.Class.getMethod(Class.java:2063)
at java.lang.Class.getMethod(Class.java:1690)
at okhttp3.internal.platform.android.AndroidSocketAdapter.<init>(AndroidSocketAdapter.kt:36)
at okhttp3.internal.platform.android.StandardAndroidSocketAdapter.<init>(StandardAndroidSocketAdapter.kt:34)
at okhttp3.internal.platform.android.StandardAndroidSocketAdapter$Companion.buildIfSupported(StandardAndroidSocketAdapter.kt:59)
at okhttp3.internal.platform.android.StandardAndroidSocketAdapter$Companion.buildIfSupported$default(StandardAndroidSocketAdapter.kt:52)
at okhttp3.internal.platform.AndroidPlatform.<init>(AndroidPlatform.kt:47)
at okhttp3.internal.platform.AndroidPlatform$Companion.buildIfSupported(AndroidPlatform.kt:160)
at okhttp3.internal.platform.Platform$Companion.findAndroidPlatform(Platform.kt:219)
at okhttp3.internal.platform.Platform$Companion.findPlatform(Platform.kt:212)
at okhttp3.internal.platform.Platform$Companion.access$findPlatform(Platform.kt:169)
at okhttp3.internal.platform.Platform.<clinit>(Platform.kt:170)
at okhttp3.OkHttpClient.<init>(OkHttpClient.kt:237)
at okhttp3.OkHttpClient$Builder.build(OkHttpClient.kt:1069)
at com.shadigipay.shadrivedriver.data.network.APIClient.getHttpClient(APIClient.java:172)
at com.shadigipay.shadrivedriver.data.network.APIClient.getAPIClient(APIClient.java:56)
at com.shadigipay.shadrivedriver.ui.activity.splash.SplashPresenter.checkVersion(SplashPresenter.java:33)
at com.shadigipay.shadrivedriver.ui.activity.splash.SplashActivity.checkVersion(SplashActivity.java:98)
at com.shadigipay.shadrivedriver.ui.activity.splash.SplashActivity.onResume(SplashActivity.java:205)
at android.app.Instrumentation.callActivityOnResume(Instrumentation.java:1412)
at androidx.test.runner.MonitoringInstrumentation.callActivityOnResume(MonitoringInstrumentation.java:1)
at android.app.Activity.performResume(Activity.java:7300)
at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3814)
at android.app.ActivityThread.handleResumeActivity(ActivityThread.java:3854)
at android.app.servertransaction.ResumeActivityItem.execute(ResumeActivityItem.java:51)
at android.app.servertransaction.TransactionExecutor.executeLifecycleState(TransactionExecutor.java:145)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:70)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1816)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:193)
at android.app.ActivityThread.main(ActivityThread.java:6718)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)

我正在使用okhttp4.9.0和改进版2.9.0

rryofs0p

rryofs0p1#

复制google play安全警报-你的应用程序正在使用hostnameverifier的不安全实现
不要编写自己的hostnameverifier,这样做只会降低安全性,而且不太可能得到批准。您需要找到他们正在标记的hostnameverifier的实现,并停止使用它。
你也应该遵循你在照片中链接到的说明https://support.google.com/faqs/answer/7188426?hl=en
用android security标记这个问题,并可能使用他们提供的表单与他们联系。
还可以编辑您的问题以显示项目中的实现

相关问题