Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android WebView SSL 'Security Warning'

I'm building a test version of an app for a client. Part of this app uses a WebView that calls out to a SSL-based site. In turn, the client has provided a test domain where the certificate name does not match the FQDN. Alas, they are not in a position to provision a cert that matches. :(

I'm working around this issue on the companion iOS ad hoc app with one line of code (again, not for production use - just for test purposes). I have searched for similar info on Android OS, but the solutions I've seen here and elsewhere are enough to make my head spin big time by comparison!

Is there a straightforward way to work around this? Even a user-facing setting tucked away somewhere?

Clues appreciated!

like image 621
Joe D'Andrea Avatar asked Sep 02 '10 19:09

Joe D'Andrea


People also ask

How do I address WebView SSL error handler alerts?

To correct the issue, please update your apps code to invoke SslErrorHandler. proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler. cancel() otherwise.

How to Clear SSL cache on Android?

Start by opening Chrome and then pressing “Menu.” Go to “Privacy” and select “Settings.” Then choose “Clear Browsing Data.” Check all the boxes on the screen and then hit “Clear.”

Is Android WebView secure?

WebView is in common use in Android applications. Although default configuration is secure, developers tend to introduce changes in its configuration which may introduce security risks.

Is WebView safe?

WebViews pose a risk (such as cross-site scripting) on websites that contain private or sensitive data. To ensure your applications remain secure and optimized for the best possible user experience, follow the best practices below.


2 Answers

Create a WebViewClient and handle the onReceivedSslError which looks like this:

public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error)

Inside this callback you can just call handler.proceed() and the page will continue loading. If you don't handle this callback and call the proceed() method then the default behaviour will be for the page not to load.

like image 113
Lee Avatar answered Oct 20 '22 12:10

Lee


Updated answer according Google's new Security policy update for SSL Error Handler, please see this Android Developers Help Center article.

For prevent rejection of application on Google Play for violating our Malicious Behavior policy.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
 String message = "SSL Certificate error.";
    switch (error.getPrimaryError()) {
        case SslError.SSL_UNTRUSTED:
            message = "The certificate authority is not trusted.";
            break;
        case SslError.SSL_EXPIRED:
            message = "The certificate has expired.";
            break;
        case SslError.SSL_IDMISMATCH:
            message = "The certificate Hostname mismatch.";
            break;
        case SslError.SSL_NOTYETVALID:
            message = "The certificate is not yet valid.";
            break;
    }
    message += " Do you want to continue anyway?";

    builder.setTitle("SSL Certificate Error");
    builder.setMessage(message);

builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
    @Override
    public void onClick(DialogInterface dialog, int which) {
        handler.proceed();
    }
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
    @Override
    public void onClick(DialogInterface dialog, int which) {
        handler.cancel();
    }
});
final AlertDialog dialog = builder.create();
dialog.show();

}

like image 40
Anant Shah Avatar answered Oct 20 '22 11:10

Anant Shah