4

I implemented an app that essentially loads Amazon in an a webview, so obviously we should not be having to worry about ssl errors, however, I ran into a problem where two users only received a blank page when try to load the page.

By overloading the onReceivedSslError() method, I was able to determine that the webview was throwing many SSL_INVALID and was able to load the page by ignoring them and calling the handler.proceed function.

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    handler.proceed();
}

Both of these issues occurred on Android 5.0+, therefore, I tried downloading the webview app from google play since webview is external after Android 5.0. It fixed the issue. No more SSL errors were thrown, and Amazon loaded up fine.

Now here are the correlations I was able to find between the two users. Both of them has Android 5.0+ and both were able to previously load Amazon in the webview in the past but then ran into this issue AFTER they ran low on storage space. I think the storage issue caused webview to start throwing these SSL errors?

Im asking if anyone could shed somelight as too why this is happening, and if there are any mitigation ideas?

Jaymin Panchal
  • 2,797
  • 2
  • 27
  • 31
Jacman4146
  • 41
  • 3
  • My guess is that these users are behind some SSL intercepting proxy which are common in enterprise environments but which can also be caused by a hacker. The wrong thing in this case is to simply ignore all SSL errors because this undermines the protection SSL should offer. Also, your app might be banished because of this insecure behavior, see http://stackoverflow.com/questions/36050741/webview-avoid-security-alert-from-google-play-upon-implementation-of-onreceiveds. – Steffen Ullrich Jan 21 '17 at 19:25
  • What site were you trying to load? Was it www.amazon.com? – Barry Pollard Jan 21 '17 at 19:53
  • Yes https://amazon.com and all of the other country specifc urls such as amazon.ca and amazon.co.uk... – Jacman4146 Jan 21 '17 at 20:32
  • But why come when I installed https://play.google.com/store/apps/details?id=com.google.android.webview and got the newest webview version, both apps started to work. Also both users were able to use it just fine until the issue with storage space cam up... – Jacman4146 Jan 21 '17 at 20:34

1 Answers1

8

This was a bug in Chrome and is nothing to do with the storage space.

The bug is detailed here: https://bugs.chromium.org/p/chromium/issues/detail?id=664177

Basically 10 weeks after Chrome 53's build date (30th August 2016), so on 7th November 2016, sites that used HTTPS certificates issued by Symantec or its subsidiaries (e.g. Geotrust and Thawte) stopped working in Chrome. As Symantec is one of the largest CAs in the world this affected a lot of sites. Only fix is to upgrade.

A short term solution was to update to Chrome 54 which should have kept you going until the 27th December 2016 or 7th January 2017 (depending on the exact version of 54 you were using), when it too hit the 10 week deadline. The bug was fixed permanently in Chrome 55.

So hoping your users will upgrade (or persuading them to if they contact you) is basically the only option.

The only other option is to move Certificate Authorities away from Symantec to another cert provider for websites you want to view (which the suspicious amongst you may think was partially Google's intention as this change did happen indirectly as part of a punishment from Google to Symantec, even though it wasn't apparently intended to cause this issue). Obviously that is not an option for websites you are not in control of such as Amazon.

I am not aware of any place that details the WebView version per device/OS release.

More details here, here, here or even here.

Cause me quite a bit of pain to figure this out when it happened to me :-(

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Wow, this explains the issue it to a T. First email regarding the issue was sent on January 8th and my local user says the issue started around the same time. So the only fix is to force users to upgrade their webview versions by installing https://play.google.com/store/apps/details?id=com.google.android.webview ? I know after Android 5.0, webview is able to update independent of OS update, but they have to have the above app installed , correct? Is their a way to know which version of webview gets shipped out with which version of Andriod so I can get estimate f affected devices? – Jacman4146 Jan 23 '17 at 18:52
  • Updated answer to give all the info I have. – Barry Pollard Jan 23 '17 at 19:53
  • Wow, this is an absolutely horrible issue to have. Thanks a lot for opening my eyes to how big this issue is. I didn't think it was near this big initially. I would totally buy you a beer if I could. Thanks a lot! – Jacman4146 Jan 23 '17 at 20:31