问题发现:您的数据安全表上存在无效的加密声明。解决方案是什么?

huangapple go评论71阅读模式
英文:

Issue found: Invalid Encryption Declaration on your Data safety form. What is the Solution?

问题

我们已检测到您的应用在收集和分享用户数据方面存在与您的应用数据安全表格声明不符的情况。所有应用都必须完成准确的数据安全表格,披露其数据收集和分享实践 - 即使您的应用没有收集任何用户数据也需要完成此表格。

您在应用数据安全表格中声明用户数据在传输中是加密的,但我们检测到可能携带用户数据离开设备的未加密网络流量。

问题详细信息

我们在以下区域发现了问题:

APK 20: 政策声明 - 数据安全部分:“http://data.altbeacon.org”
APK 24: 政策声明 - 数据安全部分:“http://data.altbeacon.org”

Google已经拒绝了两次发布。altbeacon库的问题是什么,如何解决它?

项目中存在我使用的依赖项:
implementation 'org.altbeacon:android-beacon-library:2.19.2'

英文:

image

We’ve detected discrepancies between how your app collects and shares user data and what was declared in your app’s Data safety form. All apps are required to complete an accurate Data safety form that discloses their data collection and sharing practices - this is required even if your app does not collect any user data.

You have declared that user data is encrypted in transit in your app’s Data safety form and we’ve detected unencrypted network traffic that may carry user data off device.

Issue details

We found an issue in the following area(s):

APK 20: Policy Declaration - Data Safety Section: "http://data.altbeacon.org"
APK 24: Policy Declaration - Data Safety Section: "http://data.altbeacon.org"

Google has rejected the publication twice already.
What is the problem with altbeacon library and how to solve it?

There is a dependency that I use in the project:
implementation 'org.altbeacon:android-beacon-library:2.19.2'

答案1

得分: 1

问题在2018年已经修复,在Android Beacon Library版本2.15.2中。

应该做什么

请确保您正在使用最新版本的Android Beacon Library。最新发布版本为2.19.5,可以在这里找到。如果您的应用程序使用的是库的最近版本,它将不会出现这个问题。

如果您仍然看到这个问题,那么您的应用程序可能包含从较旧版本的此库复制的代码,要么直接复制,要么作为包含的不同第三方库的一部分。追踪到底是哪里出了问题比较困难,但您可以通过搜索您的源代码中的URL来开始。如果您找不到它,您将需要查看每个依赖项。如果您卡住并且找不到问题所在,您可以尝试使用Network Profiler来调试您的应用程序,以帮助找到调用的代码。

错误的原因是什么

几年前,Google Play商店开始要求进行网络服务调用的应用程序使用https URL,而不是http URL,以防止应用程序将潜在敏感数据暴露给使用未加密网络连接的窥探者。使用未加密http URL进行网络调用的任何应用程序都必须在其Google Play商店列表中声明。Google Play的审核机器人会测试审核中的应用程序,并查找任何未加密的调用。如果他们发现任何问题,除非您的列表声明应用程序进行了未加密的调用,否则他们将拒绝提交。

该库在2018年切换到使用https URL,以符合此Google Play商店政策。您可以在此处查看提交记录。

为什么库需要进行网络调用

Android Beacon Library在首次运行时获取Android设备型号的更新数据库,以便根据型号来调整距离估计。这个网络调用是一个简单的远程数据获取,不会传输任何私人信息。在这种情况下使用http URL的先前版本几乎不会有任何安全问题,但仍然会被Google Play的自动化工具标记为使用非常旧的库版本的应用程序。

全面披露:我是Android Beacon Library开源项目的首席开发人员,也是在2018年引发了这个问题并进行了修复的作者。

英文:

The problem was fixed back in 2018 in Android Beacon Library version 2.15.2.

WHAT TO DO

Double check that you are using the latest version of the Android Beacon Library. The latest release version is 2.19.5 as seen here. If your app is using recent versions of the library, it will not have this problem.

If you still see this problem, your app may include code copied from an older version of this library, either directly or as part of a different third party library it includes. Tracking down where this is happening is difficult, but you can start by searching your source code for the URL. If you do not see it, you will need to go through each of your dependencies. If you are stuck and cannot find it, you can try using the Network Profiler to debug your app and help track it down what code is making the call.

WHAT CAUSES THE ERROR?

A few years ago, the Google Play Store started requiring apps that make web service calls use https URLs rather than http URLs in order to prevent apps from exposing potentially sensitive data to eavesdroppers using unencrypted network connections. Any app making network calls using unencrypted http URLs must declare so in its Google Play Store listing. Google Play's review robots test apps under review and look for any unencrypted calls. If they find any, they will reject the submission unless your listing declares that the app makes unencrypted calls.

The library switched to using a https URL back in 2018 to be compliant with this Google Play Store policy. You can see the commit here

WHY DOES THE LIBRARY MAKE A NETWORK CALL?

The Android Beacon Library fetches an updated database of Android device models on first run so it can adjust distance estimates on a per-model basis. The network call is a simple remote fetch of data without transmitting any private information. The prior use of an http URL in this case poses very little if any security issue, but it still gets flagged by Google Play's automated tools for apps using very old library versions.

Full disclosure: I am the lead developer on the Android Beacon Library open source project, and the author of both the original code that caused this problem and the author of the fix in 2018.

答案2

得分: 0

请使用 https 而不是 http,因为 HTTPSHTTP 更安全,它使用加密来保护信息在客户端和服务器之间传输时。当组织启用 HTTPS 时,您传输的任何信息,如密码或信用卡号,将难以被任何人拦截。

英文:

Please use https instead of http because HTTPS is more secure than HTTP because it uses encryption to protect information as it is being sent between clients and servers. When an organization enables HTTPS, any information you transmit, like passwords or credit card numbers, will be difficult for anyone to intercept.

huangapple
  • 本文由 发表于 2023年6月8日 15:35:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/76429589.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定