9

I'm building a test version of an app for a client. Part of this app uses a WebView that calls out to a SSL-based site. In turn, the client has provided a test domain where the certificate name does not match the FQDN. Alas, they are not in a position to provision a cert that matches. :(

I'm working around this issue on the companion iOS ad hoc app with one line of code (again, not for production use - just for test purposes). I have searched for similar info on Android OS, but the solutions I've seen here and elsewhere are enough to make my head spin big time by comparison!

Is there a straightforward way to work around this? Even a user-facing setting tucked away somewhere?

Clues appreciated!

Joe D'Andrea
  • 5,141
  • 6
  • 49
  • 67

2 Answers2

6

Create a WebViewClient and handle the onReceivedSslError which looks like this:

public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error)

Inside this callback you can just call handler.proceed() and the page will continue loading. If you don't handle this callback and call the proceed() method then the default behaviour will be for the page not to load.

Lee
  • 3,996
  • 3
  • 33
  • 37
  • 1
    WARNING: This is dangerous -- it removes all security from SSL. I know Joe wants to include it just in his test app, which is good, but the security community has seen many cases where this sort of code inadvertently makes its way into production versions, silently and inadvertently compromising their security. So, if you turn off security like this, BE VERY CAREFUL to make sure it doesn't propagate to your release versions. Thank you for listening to this public service announcement. – D.W. Feb 25 '13 at 22:20
1

Updated answer according Google's new Security policy update for SSL Error Handler, please see this Android Developers Help Center article.

For prevent rejection of application on Google Play for violating our Malicious Behavior policy.

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
 String message = "SSL Certificate error.";
    switch (error.getPrimaryError()) {
        case SslError.SSL_UNTRUSTED:
            message = "The certificate authority is not trusted.";
            break;
        case SslError.SSL_EXPIRED:
            message = "The certificate has expired.";
            break;
        case SslError.SSL_IDMISMATCH:
            message = "The certificate Hostname mismatch.";
            break;
        case SslError.SSL_NOTYETVALID:
            message = "The certificate is not yet valid.";
            break;
    }
    message += " Do you want to continue anyway?";

    builder.setTitle("SSL Certificate Error");
    builder.setMessage(message);

builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
    @Override
    public void onClick(DialogInterface dialog, int which) {
        handler.proceed();
    }
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
    @Override
    public void onClick(DialogInterface dialog, int which) {
        handler.cancel();
    }
});
final AlertDialog dialog = builder.create();
dialog.show();

}

Anant Shah
  • 3,744
  • 1
  • 35
  • 48