HTTPS blocked for Ionic build --release android apk

Question

Debug apk works fine, which rules out the usual suspects, but when I build, sign, install the release version, no https $http API calls can be made by angular (http to the same endpoint, which I permitted for debugging, works).

cordova whitelist is installed ionic plugin add cordova-plugin-whitelist

manifest.xml contains the correct directives

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

Ionic config.xml contains the correct directives

  <access origin="*"/>
  <allow-navigation href="*" />

My index.html declares a permissive Content-Security-Policy:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

I also checked my intermediate certificate chain using two different online SSL checkers--they are fine.

I'm totally stumped. Any ideas?

Answer 1

Re-apply SSL certs taking special care to include intermediary certs.

Despite https://cryptoreport.websecurity.symantec.com/checker/ and three other SSL checkers saying my SSL certs were fine, just to be safe I reset and configured my AWS Elastic Load Balancer SSL settings ensuring we I had included the (says optional, but not optional) intermediate cert, and the problem went away after that.

Answer 2

Modify this function in SystemWebViewClient.java found in 

platforms\android\CordovaLib\src\org\apache\cordova

public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
  final String packageName = this.cordova.getActivity().getPackageName();
  final PackageManager pm = this.cordova.getActivity().getPackageManager();

  ApplicationInfo appInfo;
  try {
    appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA);
    if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
      // debug = true
      handler.proceed();
      return;
    } else {
      // debug = false
      // THIS IS WHAT YOU NEED TO CHANGE:
      // 1. COMMENT THIS LINE
      // super.onReceivedSslError(view, handler, error);
      // 2. ADD THESE TWO LINES
      // ---->
      handler.proceed();
      return;
      // <----
    }
  } catch (NameNotFoundException e) {
    // When it doubt, lock it out!
    super.onReceivedSslError(view, handler, error);
  }
}

This will ignore if there is any SSL error occured on third party signed self generated certificates. read in detail here