我更新了应用程序的版本代码和版本名称,但我收到来自 google play 的警告消息
Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how resolve the issue in this Google Help Center article.
提前致谢
最佳答案
在这个 Flutter 项目中,我们认为有很多版本都是正确的,但都被一次又一次地拒绝,但最终我们找到了答案。
Pubspec.yaml - 先前版本。
flutter_html: ^0.11.1
flutter:
sdk: flutter
flutter_localizations:
sdk: flutter
http: ^0.12.0+2
provider: ^4.1.3
logger: ^0.7.0+2
shared_preferences: ^0.5.4+6
json_annotation: ^3.0.0
flutter_dotenv: ^2.1.0
flutter_swiper: ^1.1.6
package_info: ^0.4.0+3
get_version: ^0.2.0+1
uuid: ^2.0.4
flappy_translator: ^1.2.2
flutter_circular_chart: ^0.1.0
percent_indicator: "^2.1.1"
intl: ^0.16.0
bezier_chart: ^1.0.15
charts_flutter: ^0.8.1
fl_chart: ^0.6.0
flutter_native_timezone: ^1.0.4
url_launcher: ^5.7.8
permission_handler: ^5.0.1+1
onesignal_flutter: 2.6.1
flutter_braintree: 1.1.0
after_layout: ^1.0.7+2
flutter_svg: ^0.19.0
custom_switch_button: 0.5.0
wc_flutter_share: ^0.2.2
esys_flutter_share: ^1.0.2
just_audio: ^0.4.4
cached_network_image: 2.2.0+1
sqflite: ^1.3.1
cupertino_icons: ^0.1.2
in_app_purchase: 0.3.4+5
主机名验证
HttpsURLConnection.setDefaultHostnameVerifier { hostname, arg1 ->
val herokuPattern = “PROJECTNAME-(dev|stg|prd)\\.herokuapp.com”.toRegex()
val awsPattern = “PROJECTNAME-(dev|stg|prd)\\.s3\\..*\\.amazonaws.com”.toRegex()
herokuPattern.containsMatchIn(hostname)
|| awsPattern.containsMatchIn(hostname)
|| hostname.equals(“onesignal.com”, ignoreCase = true)
|| hostname.equals(“api.braintreegateway.com”, ignoreCase = true)
|| hostname.equals(“payments.braintree-api.com”, ignoreCase = true)
|| hostname.equals(“api.sandbox.braintreegateway.com”, ignoreCase = true)
|| hostname.equals(“payments.sandbox.braintree-api.com”, ignoreCase = true) }
第一次尝试后,我们像您一样收到了此消息:
HostnameVerifierYour app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how resolve the issue in this Google Help Center article.
然后,我们向“Google 开发/开发者支持”求助,询问我们应该做什么,因为缺乏有关该问题的信息。一周后,我们收到一条消息,并更好地了解了如何找到解决方案,但至少在哪里找到它。
HostnameVerifier 的实现存在漏洞:
- Lf/a/a/a/a/l/e$a;
- Lf/a/a/a/a/l/f$a;
- 要正确处理主机名验证,您需要更改自定义 HostnameVerifier 界面中的验证方法,以便在服务器的主机名不符合您的期望时返回 false。您可以参阅 Play 管理中心的提醒页面以获取更多指导。
公开的 Google Cloud Platform (GCP) API key 。
- com.onesignal.h2->d您的应用中公开的 GCP API key 的位置可以在您的应用的 Play 管理中心通知中找到。您可以引用此帮助中心页面来修复泄露的凭据漏洞问题。
OneSignal 相关信息非常清楚,经过简短搜索,我们发现了类似的评论,建议将版本号(从 2.6.1)设置为 onesignal_flutter: 2.6.2
。 OneSignal 问题已解决。
说实话,有两周的绝望时刻,我们找不到任何针对易受攻击的实现问题的信息,也没有“开发者支持”建议:
“Although I’m happy to answer any questions about managing your apps on the Google Play Store, our team isn’t trained to provide technical support for app development questions. For help developing Android apps, I recommend using our Android Developers site. The site has technical documentation, the Android SDK, and tips for distributing your apps.” - GooglePlay Developer Support.
最终,我们必须处理与我们使用的插件相关的漏洞问题,并发现了一个 Braintree 问题,建议将版本号设置为 flutter_braintree: 1.1.0+1
。
在这两个版本号升级(Onesignal、Braintree)之后,没有再收到有关 HostameVerifier 问题的消息,一切看起来都很好。
Pubspec.yaml
flutter_html: ^0.11.1
flutter:
sdk: flutter
flutter_localizations:
sdk: flutter
http: ^0.12.0+2
provider: ^4.1.3
logger: ^0.7.0+2
shared_preferences: ^0.5.4+6
json_annotation: ^3.0.0
flutter_dotenv: ^2.1.0
flutter_swiper: ^1.1.6
package_info: ^0.4.0+3
path_provider: 1.6.24
get_version: ^0.2.0+1
uuid: ^2.0.4
flappy_translator: ^1.2.2
flutter_circular_chart: ^0.1.0
percent_indicator: "^2.1.1"
intl: ^0.16.0
bezier_chart: ^1.0.15
charts_flutter: ^0.8.1
fl_chart: ^0.6.0
flutter_native_timezone: ^1.0.4
url_launcher: ^5.7.8
permission_handler: ^5.0.1+1
onesignal_flutter: 2.6.2
flutter_braintree: 1.1.0+1
after_layout: ^1.0.7+2
flutter_svg: ^0.19.0
custom_switch_button: 0.5.0
wc_flutter_share: ^0.2.2
esys_flutter_share: ^1.0.2
just_audio: ^0.5.7
cached_network_image: 2.2.0+1
sqflite: ^1.3.1
cupertino_icons: ^0.1.2
in_app_purchase: 0.3.4+5
关于android-security - 如何在将应用程序上传到 Google Play 控制台时修复主机名验证器界面,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46630068/