Phonegap Android app ajax requests to HTTPS fail with status 0

Question

Ajax HTTPS requests from my PhoneGap/Cordova app on Android inexplicably fail with status=0. It appears only when signing the app with the release key (i.e., exporting from ADT), but doesn't appear when signing with debug key (running directly in emulator or phone).

request = new XMLHttpRequest()
request.open "GET", "https://some.domain/", true
request.onreadystatechange = ->
  console.log "** state = " + request.readyState
  if request.readyState is 4
      console.log "** status = " + request.status

request.send()

always outputs

** state = 4
** status = 0

It doesn't matter if i install the app from Play Store or with adb utility. I presume it could be connected with the certificate, since not all HTTPS domains fail this way.

Answer 1

I was having the same problem but my solution was a little different.

1. In only the Android App build of my Cordova app, AJAX calls to my server via HTTPS were being blocked. Not in iOS, not in desktop browsers. Most confusingly, in the actual Android Browser the HTTPS AJAX calls would work no problem.

2. I verified that I could make HTTPS AJAX calls to well known and trusted URLs such as https://google.com as well as regular HTTP calls to any URL I cared to try.

3. This led me to believe that my SSL cert was either NOT installed 100% correctly OR the cheap (~$10 usd) cert from PositveSSL was not universally trusted OR both.

4. My cert was installed on my AWS Load Balancer so I looked around about how I may have messed this up and also how PositiveSSL was not the best cert to be using in terms of trustworthiness. Lucky me found an article covering AWS ELB installation of certs AND they happened to be using a PositiveSSL cert! Contained within was this little gem:

"...Don’t be fooled by the AWS dialog, the certificate chain isn’t really optional when your ELB is talking directly to a browser..."

http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/

Drumroll....

I reinstalled the cert with the "optional" Certificate Chain info and voilà!, the HTTPS AJAX calls to my server started working.

So it appears that the Android Webview is more conservative than the Android Browser in terms of cert trust. This is not totally intuitive since they are supposed to be basically the same tech.

Answer 2

It happens when the requested URL responds with an erroneous or self-signed certificate. While testing or distributing the app to friends, setting <application android:debuggable="true"...> in AndroidManifest.xml is enough — it automatically bypasses certificate errors.

But Google Play Store will not accept an APK with android:debuggable="true". First of all, the certificates, of course, need to be fixed. But while that happens, here is a workaround for PhoneGap/Cordova 3:

1. In your app package create a subclass for CordovaWebViewClient:

   public class SSLAcceptingCordovaWebViewClient extends CordovaWebViewClient {
       public SSLAcceptingCordovaWebViewClient(CordovaInterface cordova, CordovaWebView view) {
           super(cordova, view);
       }
   
       @Override
       public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
           handler.proceed();
       }
   }
   

2. Same for IceCreamCordovaWebViewClient:

   public class SSLAcceptingIceCreamCordovaWebViewClient extends IceCreamCordovaWebViewClient {
       public SSLAcceptingIceCreamCordovaWebViewClient(CordovaInterface cordova, CordovaWebView view) {
           super(cordova, view);
       }
   
       @Override
       public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
           handler.proceed();
       }
   }
   

3. in <Your App Name>.java add an override for makeWebViewClient:

   @Override
   protected CordovaWebViewClient makeWebViewClient(CordovaWebView webView) {
       if(android.os.Build.VERSION.SDK_INT < android.os.Build.VERSION_CODES.HONEYCOMB) {
           return new SSLAcceptingCordovaWebViewClient(this, webView);
       } else {
           return new SSLAcceptingIceCreamCordovaWebViewClient(this, webView);
       }
   }
   

Et voilà! SSL errors will be disregarded. However, never use erroneous certificates. Try to fix them first and use this dirty workaround only when you run out of other solutions.

Answer 3

The other option that works as well is to recompile the underlying cordova.jar file so that the test is removed completely thus no reason to worry about your cert being valid or not. I ran in the issue due to the fact that Android would not recognize the GoDaddy cert that was on the server. The cert shows valid on iOS but even when browsing from Android complained about the cert. This is from the 2.9.x branch as this is what I was working with.

cordova-android / framework / src / org / apache / cordova / CordovaWebViewClient.java

@TargetApi(8)
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {

    final String packageName = this.cordova.getActivity().getPackageName();
    final PackageManager pm = this.cordova.getActivity().getPackageManager();

    ApplicationInfo appInfo;
    try {
        appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA);
        handler.proceed();
        return;

        /* REMOVED TO BY PASS INVALID CERT CHAIN ****
        if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
            // debug = true
            handler.proceed();
            return;
        } else {
            // debug = false
            super.onReceivedSslError(view, handler, error);
        }*/
    } catch (NameNotFoundException e) {
        // When it doubt, lock it out!
        super.onReceivedSslError(view, handler, error);
    }
}

NOTE: I understand this is not safe but when all else fails this solved the issue that has been on going for over 2 months including reinstalling the cert following the cert chain install guide and beside it is a site that is our own not 3rd party so no matter if valid or not it is only connecting to this server.

Answer 4

In my case it has been a missing intermediate certificate, which I had to install on my webserver. You have to keep it in mind especially when you use cheap certificates.

You can check it easily online if your certificate chain is proper, you will find a lot on google, e.g. https://www.sslshopper.com/ssl-checker.html

At the Apache2 it's part of the VirtualHost 443 directive, you have three rules in your directive, it looks like that:

SSLCertificateFile    /etc/apache2/ssl/mycert.crt

SSLCertificateKeyFile /etc/apache2/ssl/mykey.key

SSLCertificateChainFile  /etc/apache2/ssl/certification_auth_intermediate.crt

Answer 5

You can't use relese-ready (phonegap) apks with self-signed certificates. Look at this answer to get further information.

lg

fastrde