Menu
I'm building a test version of an app for a client. Part of this app uses a WebView that calls out to a SSL-based site. In turn, the client has provided a test domain where the certificate name does not match the FQDN. Alas, they are not in a position to provision a cert that matches. :(
I'm working around this issue on the companion iOS ad hoc app with one line of code (again, not for production use - just for test purposes). I have searched for similar info on Android OS, but the solutions I've seen here and elsewhere are enough to make my head spin big time by comparison!
Is there a straightforward way to work around this? Even a user-facing setting tucked away somewhere?
Clues appreciated!
621
To correct the issue, please update your apps code to invoke SslErrorHandler. proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler. cancel() otherwise.
Start by opening Chrome and then pressing “Menu.” Go to “Privacy” and select “Settings.” Then choose “Clear Browsing Data.” Check all the boxes on the screen and then hit “Clear.”
WebView is in common use in Android applications. Although default configuration is secure, developers tend to introduce changes in its configuration which may introduce security risks.
WebViews pose a risk (such as cross-site scripting) on websites that contain private or sensitive data. To ensure your applications remain secure and optimized for the best possible user experience, follow the best practices below.
Create a WebViewClient and handle the onReceivedSslError which looks like this:
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error)
Inside this callback you can just call handler.proceed() and the page will continue loading. If you don't handle this callback and call the proceed() method then the default behaviour will be for the page not to load.
113
Updated answer according Google's new Security policy update for SSL Error Handler, please see this Android Developers Help Center article.
For prevent rejection of application on Google Play for violating our Malicious Behavior policy.
To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
message += " Do you want to continue anyway?";
builder.setTitle("SSL Certificate Error");
builder.setMessage(message);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
