Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Handling certificate errors in Android Webview and clearing the certificate peferences

I am trying to find a proper way to handle SSL certificate errors in the Android Webview. My goal is to provide a way to load pages with SSL certificate errors, but let the user choose to load the page after warning him about security any time he tries to load a URL with certificate errors.

The closest solutions I found in threads suggest overriding the WebViewClient as following:

webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(final WebView view, final SslErrorHandler handler, final SslError error) {
        handler.proceed();
    }
});

However this basically disables SSL in the WebView without the user consent.

For reference here are the threads where I found that solution:

Android WebView SSL 'Security Warning'

Does the Web View on Android support SSL?

Android WebView not loading an HTTPS URL

android webview with client certificate

Web view shows blank/white page after loading URL when using WIFI in Android

Unable to load a specific webpage on Android webview

WebView displays a blank view for certain links

Android WebView blocks redirect from https to http

Ignore ssl certificate requests in webview

I went ahead and implemented a slightly different version which prompts the user:

webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(final WebView view, final SslErrorHandler handler, final SslError error) {
        //Showing a first confirmation dialog
        AndroidUtils.showYesNoDialog(
            //First confirmation message
            "WARNING - THIS PAGE IS NOT SECURE! Are you sure you want to continue loading it?",
            //First confirmation "YES" option runnable
            new Runnable() {
                @Override
                public void run() {
                    //Showing a second confirmation dialog
                    AndroidUtils.showYesNoDialogWithResId(
                        //Second confirmation message
                        "You chose to load an unsecure page, are you sure you want to do that?",
                        //Second confirmation "YES" option runnable
                        new Runnable() {
                            @Override
                            public void run() {
                                //Disregard the error and proceed with the bad certificate anyways
                                handler.proceed();
                            }
                        },
                        //Second confirmation "NO" option runnable
                        new Runnable() {
                            @Override
                            public void run() {
                                //Cancel loading the page with that certificate error
                                handler.cancel();
                            }
                        }
                    );
                }
            },
            //First confirmation "NO" option runnable
            new Runnable() {
                @Override
                public void run() {
                    //Cancel loading the page with that certificate error
                    handler.cancel();
                }
            });
    }
});

This implementation asks the user twice if he wants to load the page, if he says yes twice, then the error is disregarded and the page loads, otherwise the page loading is canceled.

The first time a URL with certificate error loads, WebViewClient.onReceivedSslError is called, however if the user proceeds with the certificate error and SslErrorHandler.proceed() is called, the following times the same URL loads, WebViewClient.onReceivedSslError is never called again: only killing the app resets this behavior.

I would want WebViewClient.onReceivedSslError to be called systematically when a URL with a certificate error loads, not just the first time. I tried calling those methods without success:

/** JAVADOC QUOTE: Clears the SSL preferences table stored in response to proceeding with SSL certificate errors.*/
webView.clearSslPreferences();
//Those other methods I tried out of despair just in case
webView.clearFormData();
webView.clearCache(true);
webView.clearHistory();
webView.clearMatches();

Does anybody know how to make the WebView call WebViewClient.onReceivedSslError more than once for the same URL, after SslErrorHandler.proceed() has been called?

like image 375
androidseb Avatar asked Feb 05 '16 21:02

androidseb


People also ask

How do I address Webview SSL error handler alerts?

To correct the issue, please update your apps code to invoke SslErrorHandler. proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler. cancel() otherwise.

How do I clear SSL state on my phone?

The SSL error may be because of some malware/virus, and the only thing that can solve it in this case is a Factory Data Reset. You can reset your phone by navigating to Settings >> Backup and Reset >> Factory data reset.


2 Answers

Do not ever override onReceivedSslError method. Goole play will reject your upload smartest way is to handle SSL error use webSettings.setDomStorageEnabled(true);

like image 61
Chinthaka Devinda Avatar answered Sep 16 '22 15:09

Chinthaka Devinda


Yes, you can use clearSslPreferences() like here:

webView.clearSslPreferences()

It'll clear your decision for this object of WebView

like image 40
Djek-Grif Avatar answered Sep 18 '22 15:09

Djek-Grif