android webview with client certificate

Asked 23/3, 2013 at 15:59 Answered 26/7, 2020 at 0:56

I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?

Scenario answered 23/3, 2013 at 15:59 Comment(2)

This newer Q appears to be a duplicate, but shows new hope: #35135725 – Vermicelli 3/4, 2018 at 19:7

Actually that does work. I just tested it using a base64 string that was a cert, instantly pinged my server and correctly displayed the page. Keeping link above and comment saying it works for future travelers! – Vermicelli 3/4, 2018 at 19:28

Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.

Using a Android WebView to connect to secure server with Client Certificate

A search in the Android Security Discussions confirms that the call is indeed not available:

https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J

and even though

The Android 4.0 release does include support for client certificate authentication in the browser.

(ref: https://code.google.com/p/android/issues/detail?id=8196)

no mention about WebViews is made :(

Even though there are some new API to load certificates in a Keychain:

http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html

it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).

If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:

Solution 1:

use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):

https://code.google.com/p/android/issues/detail?id=53491

However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.

Solution 2:

If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:

Load local HTML file into WebView

but i strongly doubt that the webview will behave as the browser does...

Solution 3: (which should work but requires a lot of effort)

Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:

http://chariotsolutions.com/blog/post/https-with-client-certificates-on/

You have my sympathy.

Fictive answered 23/3, 2013 at 17:45 Comment(0)

In API 21 (Android Lollipop) and higher you can override the WebViewClient.onReceivedClientCertRequest(WebView view, ClientCertRequest request). In the method, use your key manager for getting the private key and certificate chain and call request.proceed().

Expectorate answered 11/3, 2015 at 8:26 Comment(0)

If you just need to ignore ssl certificate requests inside the web view, this worked for me on Lollipop:

Inside your web view client, overwrite:

@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
    handler.proceed(); // Ignore SSL certificate errors
}

This is useful for debugging webviews against qa/dev/stage environments.

Chandler answered 4/9, 2015 at 20:31 Comment(4)

#refreshing. Using this snippet code, your app has a huge chance to be reject on google app validation. It happened to me. Please, see #35721253 – Please 19/7, 2016 at 22:50

It's not "a huge chance to be rejected", the Play Store detects automatically this bypass and rejects with no chance :) – Paymaster 3/10, 2016 at 10:16

My app was rejected yesterday because of this code. I would not use this any more. – Hierology 5/12, 2016 at 23:56

@Hierology Please read the answer carefully! As it states, "This is useful for debugging webviews against qa/dev/stage environments." Not meant for production code. – Chandler 6/12, 2016 at 3:17

To properly handle SSL certificate validation to prevent app from rejection from Google play according to updated Security Policy, Change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning.

Greenhaw answered 15/7, 2016 at 6:34 Comment(0)

The Chronium based WebView on Android 4.4 introduced a bug: When the server requests a client certificate, the WebView stops the loading process. The onPageFinished-Method will be immediately called, but no page is displayed.

--> https://code.google.com/p/android/issues/detail?id=62533

Allochthonous answered 16/3, 2014 at 17:47 Comment(0)

onReceivedClientCertRequest() is added to WebViewClient since API 21. https://developer.android.com/reference/android/webkit/WebViewClient#onReceivedClientCertRequest(android.webkit.WebView,%20android.webkit.ClientCertRequest)

The solution from the following Stackoverflow post worked for me: Android WebView handle onReceivedClientCertRequest

To test:

Server URL: https://client.badssl.com/
Client certificate: https://badssl.com/download/

When client certificate is not setup, you will see "400 bad request".

Botanist answered 26/7, 2020 at 0:56 Comment(0)

We can not access the client certificate in webview, There is a google issue raised for the same. https://code.google.com/p/android/issues/detail?id=53491

Bodkin answered 18/11, 2013 at 12:47 Comment(0)

-1

Self signed SSL certificate is working for me

Please check this answer https://mcmap.net/q/260640/-does-the-web-view-on-android-support-ssl

Kennykeno answered 27/2, 2018 at 9:55 Comment(0)

Recommended topics

Hot tags