我从谷歌收到了这条消息。我们没有使用任何trustmanager等。我们使用的是okhttp和googlepublisher,我不知道如何检测这个安全漏洞。
我们发现你的应用程序包含安全漏洞,这些漏洞会暴露用户信息或损坏用户设备。这违反了设备和网络滥用政策。特别是,您的应用程序易受trustmanager攻击。要解决这个问题,请遵循google帮助中心文章中的步骤。
受影响版本:apk:21
dependencies {
implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
implementation "androidx.multidex:multidex:2.0.1"
implementation 'com.google.android.material:material:1.2.1'
implementation 'com.google.firebase:firebase-messaging:21.0.1'
implementation 'com.facebook.android:facebook-android-sdk:8.2.0'
implementation 'com.github.chrisbanes:PhotoView:2.1.3'
implementation 'org.jsoup:jsoup:1.13.1'
implementation 'com.android.billingclient:billing:3.0.2'
annotationProcessor 'com.jakewharton:butterknife-compiler:10.2.3'
implementation 'com.jakewharton:butterknife:10.2.3'
implementation 'io.reactivex.rxjava3:rxjava:3.0.8'
implementation 'com.google.code.gson:gson:2.8.6'
implementation 'com.varunjohn1990.libraries:WhatsappMessengerView:2.1.0'
implementation 'com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0'
implementation 'com.google.auth:google-auth-library-oauth2-http:0.22.2'
implementation 'com.github.drawers:SpinnerDatePicker:2.0.1'
implementation 'com.elyeproj.libraries:loaderviewlibrary:2.0.0'
implementation 'link.fls:swipestack:0.3.0'
implementation 'jp.wasabeef:picasso-transformations:2.4.0'
// If you want to use the GPU Filters
implementation 'jp.co.cyberagent.android:gpuimage:2.1.0'
implementation 'com.squareup.picasso:picasso:2.71828'
implementation 'com.github.HamidrezaAmz:AndroidImageSlider:v1.0.8'
implementation 'com.eightbitlab:blurview:1.6.3'
implementation 'pl.bclogic:pulsator4droid:1.0.3'
implementation 'com.google.android.play:core:1.9.0'
implementation project(':bottomnavbar')
implementation project(':segmentcontrol')
implementation project(':scrool')
}
\gradle:错误:commons日志定义的类与android现在提供的类冲突。解决方案包括查找不存在相同问题的较新版本或替代库(例如,对于httpclient,使用httpurlconnection或okhttp),或者使用类似jarjar的方法重新打包库[[平台类]
\build.gradle:错误:httpclient定义的类与android现在提供的类冲突。解决方案包括查找不存在相同问题的较新版本或替代库(例如,对于httpclient,使用httpurlconnection或okhttp),或者使用类似jarjar的方法重新打包库[重复平台类]
这修复了以下错误:
implementation ('com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0') {
exclude group: 'org.apache.httpcomponents'
}
implementation ('com.google.auth:google-auth-library-oauth2-http:0.22.2') {
exclude group: 'org.apache.httpcomponents'
}
OkHttpService service = new OkHttpService();
SubscriptionPurchase purchase = new AndroidPublisher.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(),
new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
build().purchases().subscriptions().
get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();
<issue
id="TrustAllX509TrustManager"
severity="Warning"
message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers"
category="Security"
priority="6"
summary="Insecure TLS/SSL trust manager"
explanation="This check looks for X509TrustManager implementations whose `checkServerTrusted` or `checkClientTrusted` methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.">
<location
file="Project\com\google\api\client\util\SslUtils$1.class"/>
</issue>
暂无答案!
目前还没有任何答案,快来回答吧!