How to mitigate weird webview SSL/HTTPS errors in webview?

Question

I implemented an app that essentially loads Amazon in an a webview, so obviously we should not be having to worry about ssl errors, however, I ran into a problem where two users only received a blank page when try to load the page.

By overloading the onReceivedSslError() method, I was able to determine that the webview was throwing many SSL_INVALID and was able to load the page by ignoring them and calling the handler.proceed function.

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    handler.proceed();
}

Both of these issues occurred on Android 5.0+, therefore, I tried downloading the webview app from google play since webview is external after Android 5.0. It fixed the issue. No more SSL errors were thrown, and Amazon loaded up fine.

Now here are the correlations I was able to find between the two users. Both of them has Android 5.0+ and both were able to previously load Amazon in the webview in the past but then ran into this issue AFTER they ran low on storage space. I think the storage issue caused webview to start throwing these SSL errors?

Im asking if anyone could shed somelight as too why this is happening, and if there are any mitigation ideas?

Answer 1

This was a bug in Chrome and is nothing to do with the storage space.

The bug is detailed here: https://bugs.chromium.org/p/chromium/issues/detail?id=664177

Basically 10 weeks after Chrome 53's build date (30th August 2016), so on 7th November 2016, sites that used HTTPS certificates issued by Symantec or its subsidiaries (e.g. Geotrust and Thawte) stopped working in Chrome. As Symantec is one of the largest CAs in the world this affected a lot of sites. Only fix is to upgrade.

A short term solution was to update to Chrome 54 which should have kept you going until the 27th December 2016 or 7th January 2017 (depending on the exact version of 54 you were using), when it too hit the 10 week deadline. The bug was fixed permanently in Chrome 55.

So hoping your users will upgrade (or persuading them to if they contact you) is basically the only option.

The only other option is to move Certificate Authorities away from Symantec to another cert provider for websites you want to view (which the suspicious amongst you may think was partially Google's intention as this change did happen indirectly as part of a punishment from Google to Symantec, even though it wasn't apparently intended to cause this issue). Obviously that is not an option for websites you are not in control of such as Amazon.

I am not aware of any place that details the WebView version per device/OS release.

More details here, here, here or even here.

Cause me quite a bit of pain to figure this out when it happened to me :-(