SSL Error Handler causing Play Store Rejection

timotay · February 7, 2018, 10:57pm

Hi,

How does one get around app rejections that state ‘SSL Error Handler’ as the reason for the rejection?

I have had an app rejected from the Play Store with the following message:

We rejected <app_name>, with package name <package_name> for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.
Vulnerability APK Version
SSL Error Handler
For more information on how to address WebView SSL Error Handler alerts, please see this Google Help Center article.
10520 November 30, 2016

If this were an native Android project, we could follow the instructions here:

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

At first I thought the HTTP native plugin would solve this issue. I included a .cer file as recommended on the plugin page, and used this in my provider:

this.httpPlugin.enableSSLPinning(true).then(() => {
            console.log('httpPlugin.enableSSLPinning true');
            this.sslEnebled = true;
        }).catch((err) => {
            this.sslEnebled = false;
            console.log('httpPlugin.enableSSLPinning catch '+err);            
        });

At first this is all I did, but the app was still rejected for the same reasons. So I used the httpPlugin for all the calls.
Instead of doing this:

    this.http.get( thisUrl, { headers: this.getHeaders( user ) }, {} )
        .subscribe( res => {

I tried it like this:

    this.httpPlugin.get( thisUrl, { headers: this.getHeaders( user ) }, {} )
        .then( res => {

This was just an experiment to see if the apk would be accepted (it wasn’t). This approach would make the app unusable in the browser using ‘ionic serve’ so is not ideal. And the rejection message was the same.

Also, the enable SSL pinning call in the constructor of the provider was failing:

this.httpPlugin.enableSSLPinning(true).then(() => {
...
.catch((err) => {
    console.log('httpPlugin.enableSSLPinning catch '+err);            
});

The console log shows: httpPlugin.enableSSLPinning catch: There was an error setting up ssl pinning. I have raised an issue for it seeking clarification on what could also cause this here:

Any help on this issue would me much appreciated.

timotay · February 20, 2018, 10:51pm

As an update on this issue, Google Play Developer Support feedback provided more details about the app rejection which said: the app has the following class, which contains a vulnerable version of SslErrorHandler:
org.apache.cordova.inappbrowser.InAppBrowser$InAppBrowserClient;

The InAppBrowserClient is the Cordova plugin we use for OAuth interactions. This is an Apache project which has no issue tracking on its repo. Issues with this plugin on the Apache Cordova issue tracker.

Does anyone know of a workaround to make the in app browser plugin use ssl pinning on Android?