Missing/ignored SSL checks in the app webview allows MITM attack
Problem/Motivation
Missing/ignored SSL checks in the app webview on android (but most likely IOS too) allows MITM attack, also it might be the reason of disabled autocomplete functionality.
Steps to reproduce
1.) Redirect kau.gov.hu via dns override to some other ip.
2.) Start the app
3.) Click Login
Expected behavior
SSL error that warns certificate is invalid
Actual behavior
Loads the redirected site without any error reported.
Environment:
OS: Android 13
Appversion: 4.0.0
Possible cause
Someone had the bright idea to handle SSL errors (of flutter_inappwebview plugin) with a code like this:
onReceivedServerTrustAuthRequest: (controller, challenge) async {
return ServerTrustAuthResponse(action: ServerTrustAuthResponseAction.PROCEED);
},
(cant be sure as cant read flutters libapp.so natively but it would explain why Google still not dropped it out from Play Store)
Possible solution / workaround
Do NOT return with PROCEED on all SSL errors (because it is just stupid) and hire some testers?
Így jó lesz? :)