How to bypass SSL certificate checking in Apache Cordova 2.2 on Android

-

How to bypass SSL certificate checking in Apache Cordova 2.2 on Android

(or how to override CordovaWebViewClient in versions of Cordova 1.9+)

I came across a strange issue where I was unable to access a secure URL using HTTPS.  At first I thought it was due to the Cordova whitelist since there was an issue with it in Cordova 2.1.  In order to access an external URL you have to whitelist them eg

<access origin="https://www.wikipedia.org" subdomains="true"/>

This didn't help though and even if I allowed all URLS using

<access origin = "*"/>

it still didn't work.  Strangely though it was only one secure URL I couldn't access, not all of them

As it turns out, it was probably to do with the way Cordova assesses valid certificates.  When an Android app is signed and deployed it is deployed in 'production mode' which means that any secure URL accessed must have a valid certificate signed by a certificate authority (CA), so cannot be self-signed.  Something about this particular certificate, though signed by a CA, was being rejected by Cordova, which led me to raise this bug: https://issues.apache.org/jira/browse/CB-1947

Since I'm impatient, I decided to try and bypass the certificate checking.  Searching led me to various solutions, all based on extending CordovaWebViewClient and overriding the onReceivedSslError() method. For example:

public class SSLAcceptingWebViewClient extends CordovaWebViewClient {
  public SSLAcceptingWebViewClient(DroidGap ctx) {
    super(ctx);
  }

  @Override
  public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
    handler.proceed();
  }
}
This was the easy part.  I then needed to tell Cordova to use my new class, rather than the default one.  This seemed simple as the advice I found on stackoverflow was to set it like this:

this.setWebViewClient(this.appView, new MyWebViewClient(this));

Unfortunately, this method signature no longer existed in Cordova 2.2.  Altering it to

this.appView.setWebViewClient( new SSLAcceptingWebViewClient(this));

compiled fine.  However, it resulted in a NullPointerException in the onPageLoad() method as seen by various others with no resolution.  I couldn't find any solution to this on the web, so I had to dig into the source code for Cordova.  Since it was a NullPointerException something had to be null, and the offending line was

if (!this.appView.useBrowserHistory) {

Since 'this' couldn't be null and useBrowserHistory is a boolean, it could only be appView that was null.  Some messing around finally led me to this solution in my main activity class


public class MyActivity extends DroidGap {
  /** Called when the activity is first created. */
  @Override
    public void onCreate(Bundle savedInstanceState) {
      super.onCreate(savedInstanceState);
      super.init();

      CordovaWebViewClient webViewClient = new SSLAcceptingWebViewClient(this);
      webViewClient.setWebView(this.appView);
      this.appView.setWebViewClient(webViewClient);

      super.loadUrl("file:///android_asset/www/index.html");
    }
}
And it works! I've successfully bypassed the SSL certificate checking!  Obviously this is inherently insecure, so I can't recommend it as a permanent solution.  I'm hoping that the above bug will be resolved in the next version of Cordova and I can switch my bypass solutions off.

If you need to override CordovaWebViewClient, this seems to be the way to do it.  If you know a better way, please do let me know

Comments

Post a Comment

Popular posts from this blog

Launch a website as a mobile app using PhoneGap/Apache Cordova

-
How to launch a website as a mobile app using PhoneGap/Apache Cordova I spent some time recently trying to find out how to launch my website as a mobile app.  The information was available around the internet but since it took me a while, I thought I'd collate it here in one simple post for anyone who wants to do the same I decided to use Apache Cordova since it gave me the framework for developing an HTML5 site as a mobile app already, meaning all I really needed to do was plug my website into it.  Their getting started guide has good information on how to create a Cordova project - I used Android but you can use whatever means you wish A basic Cordova app gives you a way to launch the app with an HTML page that you use to display your app contents.  The trick then is make the page load your website which you can do in one of 3 ways: 1. Package your site inside the app. This means it loads fast and without an internet connection.  The downside is you have to update and
Read more

Installing and using mobilize.js to transform a desktop site to a mobile site

-
Image
Installing and using mobilize.js to transform a desktop site to a mobile site mobilize.js offers a neat and simple method of creating a mobile optimised website with very little change to the main desktop site. With a few lines of javascript and some css you can create a mobile optimised site without having to maintain 2 different sets of content. However the instructions on the official site aren't the best. So with some digging I managed to transform - From this (Firefox on my laptop): To this (Android browser on my Samsung Galaxy Nexus): with no html changes other than adding some <script> tags to the <head> element.  Plus automatic browser detection to display either site depending on the browser used - mobile, or desktop Here are some step-by-step instructions on getting it working. Why would you want to? So going back to the beginning, these were my requirements:  I wanted to create a mobile optimised site but, as I already had a
Read more

How to manually add Cordova plugins to your app

-
I have recently been trying to add a plugin to an existing Cordova app (using Cordova 3.7.0).  Since I didn't create my app using the CLI I had 2 options: Create a new app using the CLI and copy my source files over Add the plugin files to my existing app For some reason I don't really like the idea of the CLI and wanted to do do this manually into an existing Android app, using Cordova, rather than use the CLI.  Don't ask me why, I just like doing things manually so I know what's going on under-the-hood I guess If you are like me and want to add a plugin manually, this is how to do it.  These instructions, though written for Android, will work for any any supported platform.  I will call out any differences between platforms that I know of Get the plugin source files You need the source code files for your platform (so .java for Android, .m .h for iPhone etc) as well as the plugin javascript files.  You might be able to get the source files from the inte
Read more