Android WebView not loading an HTTPS URL
Solution 1
Add this overriding method to your WebViewClient implementation. You'll need to compile it with Android SDK 2.2 (API level 8) or later. The method appears in the public SDK as of 2.2 (API level 8) but we've tested it on devices running 2.1, 1.6 and 1.5 and it works on those devices too (so obviously the behaviour has been there all along).
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed(); // Ignore SSL certificate errors
}
this will help you.
Solution 2
Per correct answer by fargth, follows is a small code sample that might help.
First, create a class that extends WebViewClient and which is set to ignore SSL errors:
// SSL Error Tolerant Web View Client
private class SSLTolerentWebViewClient extends WebViewClient {
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed(); // Ignore SSL certificate errors
}
}
Then with your web view object (initiated in the OnCreate() method), set its web view client to be an instance of the override class:
mWebView.setWebViewClient(
new SSLTolerentWebViewClient()
);
Solution 3
To properly handle SSL certificate validation and avoid application rejection from Google according new Security Policy, Change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
String message = "SSL Certificate error.";
switch (error.getPrimaryError()) {
case SslError.SSL_UNTRUSTED:
message = "The certificate authority is not trusted.";
break;
case SslError.SSL_EXPIRED:
message = "The certificate has expired.";
break;
case SslError.SSL_IDMISMATCH:
message = "The certificate Hostname mismatch.";
break;
case SslError.SSL_NOTYETVALID:
message = "The certificate is not yet valid.";
break;
}
message += " Do you want to continue anyway?";
builder.setTitle("SSL Certificate Error");
builder.setMessage(message);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
After this changes it will not show warning.
Solution 4
override onReceivedSslError and remove
super.onReceivedSslError(view, handler, error)
And to solve Google security:
setDomStorageEnabled(true);
Full code is:
webView.enableJavaScript();
webView.getSettings().setDomStorageEnabled(true); // Add this
webView.getSettings().setJavaScriptCanOpenWindowsAutomatically(true);
webView.setWebViewClient(new WebViewClient(){
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
// DO NOT CALL SUPER METHOD
super.onReceivedSslError(view, handler, error);
}
});
Solution 5
Remove the below code it will work
super.onReceivedSslError(view, handler, error);
Related videos on Youtube
sumit
Updated on September 10, 2021Comments
-
sumit over 2 years
public void onCreate(Bundle savedInstance) { super.onCreate(savedInstance); setContentView(R.layout.show_voucher); webView=(WebView)findViewById(R.id.webview); webView.getSettings().setJavaScriptEnabled(true); webView.getSettings().setBuiltInZoomControls(true); String url ="https://www.paymeon.com/Vouchers/?v=%C80%8D%B1x%D9%CFqh%FA%84%C35%0A%1F%CE&iv=%25%EE%BEi%F4%DAT%E1" //webView.loadUrl(url); // Not Working... Showing blank webView.loadUrl("http://www.yahoo.com"); // its working }
When I try to load a URL in the WebBView it only shows a blank screen. If I load Google.com or yahoo.com it's working fine.
-
ilango j over 12 yearsit's working i checked now. check again if not working after that add this with your code webView.getSettings().setUseWideViewPort(true); webView.getSettings().setLoadWithOverviewMode(true);
-
-
Bill Lahti over 12 yearsThe last entry in the discussion worked great. Thanks very much.
-
ereOn over 10 yearsSecurity warning: Note that doing so completely defeats the purpose of having SSL in the first place.
-
KK_07k11A0585 almost 9 years@fargath I want to remove the SSLV3 protocol from the webview supported protocols as this protocol is disabled from server side they are using TLS 2.0 . How can do this ?
-
Antimony over 8 yearsPlease don't do this. It's insecure and not allowed in the Play Store.
-
Gustavo over 8 yearsGoogle is now sending emails to whoever implements the solution above:
Your app(s) listed at the end of this email have an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks.
Apps with vulnerabilities that expose users to risk of compromise may be considered Dangerous Products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
-
Pratik Tank about 8 yearsAny one know how to solve google Security warning, if yes please let me know because i also facing this problem.
-
Pratik Tank about 8 yearsthis gives the google security warning: unsafe implementation of the WebViewClient.onReceivedSslError handler. do you know how to solve this?
-
Ajay Pandya about 8 yearsGoogle Marked The App As Unsaif on playstore how can do it without ssl?
-
Ratul Ghosh about 8 yearsYou need to invoke handler.proceed() whenever the certificate presented by the server meets your expectations, otherwise handler.cancel() . Otherwise google will raise security warning like above .
-
Arth Tilva almost 8 yearsGreat, it worked for me. Can you please explain how it worked?
-
Vivek Sinha almost 8 yearswhat will happen if I removed onReceivedSslError block from the implementation?
-
Anant Shah almost 8 years@VivekSinha it will call handler.cancel(); by default.
-
Vivek Sinha almost 8 yearsbut Google still rejected my app saying same reason. Why?
-
CMP over 7 yearsereOn: I disagree. This comment is useful. It solves problems with self certified SSL certificates. I'm not uploading my app to the google store either.
-
Josh Laird over 7 years@ArthTilva from the google docs: "default behaviour is to cancel the load". By calling super you are calling that default behaviour before it can reach the rest of the method. developer.android.com/reference/android/webkit/…
-
Dirbaio about 7 yearsThis solution COMPLETELY disables certificate validation, leaving you open for man-in-the-middle attacks. This is something you should never do, ESPECIALLY for payment gateways.
-
Ishant Sagar almost 7 yearsFor me initially the webview was not loading the content, but just the background image of the page. After I just added
webview.getSettings.setDomStorageEnabled(true);
it magically worked. Maybe the webpage is using some kind of HTML 5 API, so enabling DomStorage worked for me. -
Kesha over 6 years@VivekSinha found any solution regarding to app launch in play store ?
-
Vivek Sinha over 6 yearsI implemented onReceivedSslError callback as suggested. App was published successfully afterwards.
-
Däñish Shärmà almost 6 yearsThank you so much man. Removing super.onReceivedSslError(view, handler, error) worked for me.
-
Gediminas almost 6 yearsI'm new to Android. Where should I put this? :)
-
Tam Huynh almost 5 yearsThanks. Call handler.proceed() in
onReceivedSslError
save my day -
Atul Bhardwaj almost 5 yearsDon't use the Super method- super.onReceivedSslError(view, handler, error);
-
Alp Altunel almost 5 yearsIf you do this (now July 2019) google play will reject your application.
-
ozanurkan almost 5 yearsİ have too many application on google play ,nothing app still get reject.
-
B.shruti almost 5 yearsFYI, app will be rejected on play store while making it live.
-
Dharman over 4 yearsAre you asking for a solution or suggesting one?
-
John Ruban Singh over 4 yearsI am suggesting this approach
-
John Ruban Singh over 4 yearswill reject January 2020 on-words
-
John Ruban Singh over 4 yearshandler.proceed() bypassing SSL
-
Shivam Sharma about 4 years@JohnRubanSingh Hi John, I've loading a JS file from assets and once file loaded with onPageFinished I'm calling a function inside JS. So, overriding onReceivedSslError() is neccessary as I'm using webview.setWebViewClient(new ....) ?
-
Shivam Sharma about 4 yearsThis code rejecting my APK.Even since 9 months this code is not causes rejection but suddenly facing rejections r8 now. switch (error.getPrimaryError()) { case SslError.SSL_UNTRUSTED: handler.proceed(); break; case SslError.SSL_EXPIRED: case SslError.SSL_IDMISMATCH: case SslError.SSL_NOTYETVALID: case SslError.SSL_DATE_INVALID: case SslError.SSL_INVALID: default: handler.cancel(); break; }
-
Shivam Sharma about 4 years@JohnRubanSingh please help me. We can join on slack.
-
Chagai Friedlander about 4 yearsyou could probably just easily add an if case to make sure it is the right self certified SSL certificate and if you want you can make this anyway only in the WebView for this one Website you are showing. or am I missing something fundamentale?
-
Akash kumar about 4 yearswhat is Encodingutil.getbyte
-
Yoda066 almost 4 years"An app may be flagged if it does not contain sufficient checks for certificate validity; for instance, just checking the return value of getPrimaryError is not sufficient to establish the validity of the certificate." source
-
StupidWolf almost 3 yearsseems like a comment
-
cursorrux over 2 yearsThis does not provide an answer to the question, this would be more appropriate as a comment.
-
babbin tandukar over 2 yearsit works for normal webpages but when i tried to load iframe for youtube videos its not working ..