android webview with client certificate
I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?
Solution 1:
Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.
Using a Android WebView to connect to secure server with Client Certificate
A search in the Android Security Discussions confirms that the call is indeed not available:
https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J
and even though
The Android 4.0 release does include support for client certificate authentication in the browser.
(ref: https://code.google.com/p/android/issues/detail?id=8196)
no mention about WebViews is made :(
Even though there are some new API to load certificates in a Keychain:
http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html
it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).
If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:
Solution 1:
use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):
https://code.google.com/p/android/issues/detail?id=53491
However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.
Solution 2:
If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:
Load local HTML file into WebView
but i strongly doubt that the webview will behave as the browser does...
Solution 3: (which should work but requires a lot of effort)
Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:
http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
You have my sympathy.
Solution 2:
In API 21 (Android Lollipop) and higher you can override the WebViewClient.onReceivedClientCertRequest(WebView view, ClientCertRequest request). In the method, use your key manager for getting the private key and certificate chain and call request.proceed().
Solution 3:
If you just need to ignore ssl certificate requests inside the web view, this worked for me on Lollipop:
Inside your web view client, overwrite:
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed(); // Ignore SSL certificate errors
}
This is useful for debugging webviews against qa/dev/stage environments.
Solution 4:
To properly handle SSL certificate validation to prevent app from rejection from Google play according to updated Security Policy, Change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
message += " Do you want to continue anyway?";
builder.setTitle("SSL Certificate Error");
builder.setMessage(message);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
After this changes it will not show warning.
Solution 5:
The Chronium based WebView on Android 4.4 introduced a bug: When the server requests a client certificate, the WebView stops the loading process. The onPageFinished-Method will be immediately called, but no page is displayed.
--> https://code.google.com/p/android/issues/detail?id=62533