13

I have Marked one problem on Playstore and google send the mail my app is unsafe because use of SSL.

Currently in my application I have one webview which is load link and it contains https url.

on web settings I'm doing like this:

web.setWebViewClient(new SSLTolerentWebViewClient());

to ignore ssl certificate I use following code but because of ignoring certificate playstore showing my app is unsafe 

private class SSLTolerentWebViewClient extends WebViewClient {
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        handler.proceed(); // Ignore SSL certificate errors
    }
}

Can anyone one suggest me how can I do this so my WebView can handle https url and Playstore not mark my app as unsafe?

Bhargav
  • 8,118
  • 6
  • 40
  • 63
Ajay Pandya
  • 2,417
  • 4
  • 29
  • 65
  • 1
    Why do you have to ignore ssl certificate errors? – Bhargav Feb 23 '16 at 04:55
  • If we don't ignore than web page not loading so i'm using that but now playstore shows warning they may reject app in future. – Ajay Pandya Feb 23 '16 at 04:56
  • Its wrong you need to find out what ssl errors you are getting and fix it, because a https website MUST communicate over ssl and for that to happen ssl certificate is very important – Bhargav Feb 23 '16 at 04:58
  • can you suggest me how can i do this any reference ? ok you say i tell you which error is occure in onReceivedSslError right? – Ajay Pandya Feb 23 '16 at 05:00
  • well log the `SslError` and post the error text here then maybe I can help – Bhargav Feb 23 '16 at 05:01
  • This is error log :primary error: 3 certificate: Issued to: CN=*.maharashtra.gov.in,OU=Information Technology,O=Directorate of Information Technology,L=Mumbai,ST=Maharashtra,C=IN; Issued by: CN=thawte SSL CA - G2,O=thawte\, Inc.,C=US; – Ajay Pandya Feb 23 '16 at 05:17
  • Check if the site/ service you're connecting to has a valid certificate and is serving all intermediate certificates in the SSL handshake. You can use a tool like Qualys SSL Labs server test (https://www.ssllabs.com/ssltest/index.html) to determine this. – Anand Bhat Feb 23 '16 at 16:28
  • yes you are right actually certificate is not there they are just using https but dont have certificate and if i load without https than blank page showing. – Ajay Pandya Feb 24 '16 at 04:34

3 Answers3

35

To Solve Google Play Warning: WebViewClient.onReceivedSslError handler

Not Always force to handler.proceed(); but you have to also include handler.cancel(); so user can avoid unsaif content from loading.

To Handle unsafe implementation of the WebViewClient.onReceivedSslError handler

use the following code 

 webView.setWebViewClient(new SSLTolerentWebViewClient());
 webView.loadUrl(myhttps url);

and 

 private class SSLTolerentWebViewClient extends WebViewClient {
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {

        AlertDialog.Builder builder = new AlertDialog.Builder(Tab1Activity.this);
        AlertDialog alertDialog = builder.create();
        String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }

        message += " Do you want to continue anyway?";
        alertDialog.setTitle("SSL Certificate Error");
        alertDialog.setMessage(message);
        alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {
            @Override
            public void onClick(DialogInterface dialog, int which) {
                // Ignore SSL certificate errors
                handler.proceed();
            }
        });

        alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {
            @Override
            public void onClick(DialogInterface dialog, int which) {

                handler.cancel();
            }
        });
        alertDialog.show();
    }
}
Ajay Pandya
  • 2,417
  • 4
  • 29
  • 65
Pratik Tank
  • 2,213
  • 1
  • 17
  • 29
  • We should really see on the Web an answer to embbed our certificate and add it into the trusted keystore. It should avoid man-in-the-middle attacks on these kind of vulnerabilities. – Alex Aug 26 '16 at 09:46
3

Just for future reference or for anyone else that is facing the same problem! Using Xamarin Forms.

It works, here is the full code I used. It also fixes another bug where the Scroll of the WebView is not working anymore when using Xamarin Shell.

using System;
using Android.Content;
using Android.Views;
using Mobile.Droid.Render;
using Xamarin.Forms;
using Xamarin.Forms.Platform.Android;

[assembly: ExportRenderer(typeof(WebView), typeof(MyWebViewRenderer))]
namespace Mobile.Droid.Render
{
    public class MyWebViewRenderer : WebViewRenderer
    {
        public MyWebViewRenderer(Context context) : base(context)
        {
        }

        public override bool DispatchTouchEvent(MotionEvent e)
        {
            Parent.RequestDisallowInterceptTouchEvent(true);
            return base.DispatchTouchEvent(e);
        }


        protected override void OnElementChanged(ElementChangedEventArgs<Xamarin.Forms.WebView> e)
        {
            base.OnElementChanged(e);

            // Setting the background as transparent
            this.Control.SetBackgroundColor(Android.Graphics.Color.Transparent);
            if (e.OldElement == null)
            {
                Control.SetWebViewClient(new MyFormsWebViewClient(this));
            }
        }

        internal class MyFormsWebViewClient : FormsWebViewClient
        {
            MyWebViewRenderer _renderer;

            public MyFormsWebViewClient(MyWebViewRenderer renderer) : base(renderer)
            {
                _renderer = renderer;
            }

            public override void OnReceivedSslError(Android.Webkit.WebView view, Android.Webkit.SslErrorHandler handler, Android.Net.Http.SslError error)
            {
                handler.Proceed();
            }

            public override void OnPageFinished(Android.Webkit.WebView view, string url)
            {
                base.OnPageFinished(view, url);
            }

            public override void OnLoadResource(Android.Webkit.WebView view, string url)
            {
                base.OnLoadResource(view, url);
            }
        }
    }
}
Cezar Wagenheimer
  • 185
  • 12
-4

Try linking to webpage with http rather than https. This will probably redirect to the https site. You will not need to code to ignore the security certificate.

Fred Knerk
  • 15
  • 3
  • yes i tried that but it showing blank if i'm trying with removing s from https not loading properly. – Ajay Pandya Feb 25 '16 at 05:45
  • What happens if you try to load outside the app? ie remove WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.setWebViewClient(new WebViewClient()); from your activity or your own webview client code if you have one. – Fred Knerk Feb 25 '16 at 23:54
  • Yes there is not an issue in loading with webview client or chromeview but i want in app screen only that is why – Ajay Pandya Feb 26 '16 at 03:45