Get rid of SSL verification in Cordova in app browser

13,180

Solution 1

iOS will always complain about invalid certificates, either in debug or release mode. To avoid this you should place the following code at the end of the AppDelegate.m file.

@implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}
@end

For Cordova users this file is placed in

project/platforms/ios/Project/Classes/AppDelegate.m

Android (Cordova specific)

In Android the history is different. It will allow you to make requests to services with invalid certificates, but only if the app is compiled in build mode. On the other hand, when you would build the app in release mode (ie: to send the APK to a co-worker or stuff like that), the Cordova Web View, which is where the HTML + CSS + JS you wrote runs, will not allow you to make “insecure” requests. Once again, to avoid this you should modify a platform file. In this case the file will be CordovaWebViewClient.java

You would need to modify a method in the mentioned filed, like this:

public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
  final String packageName = this.cordova.getActivity().getPackageName();
  final PackageManager pm = this.cordova.getActivity().getPackageManager();

  ApplicationInfo appInfo;
  try {
    appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA);
    if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
      // debug = true
      handler.proceed();
      return;
    } else {
      // debug = false
      // THIS IS WHAT YOU NEED TO CHANGE:
      // 1. COMMENT THIS LINE
      // super.onReceivedSslError(view, handler, error);
      // 2. ADD THESE TWO LINES
      // ---->
      handler.proceed();
      return;
      // <----
    }
  } catch (NameNotFoundException e) {
    // When it doubt, lock it out!
    super.onReceivedSslError(view, handler, error);
  }
}

This file is placed in (Cordova v4 and below)

project/platforms/android/CordovaLib/src/org/apache/cordova/CordovaWebViewClient.java

In newer versions of Cordova (v5 and later) the file is now placed in

project/platforms/android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewClient.java

and

You should not use these solutions for production apps. This is just to test them or share them with co-workers.

Reference: Ignoring invalid SSL certificates on Cordova for Android and iOS

Solution 2

Thanks @Levi Murray.

For Capacitor 2.2.0, you need to tweak @Levi Murray answer.

Android - node_modules/@capacitor/android/capacitor/src/main/java/com/getcapacitor/BridgeWebViewClient.java

Add the override method with the other methods.

    ....
    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
      handler.proceed();
      return;
    }

Solution 3

Here's what worked for me using Capacitor

Note: I am changing dependency files, but I was only using this for development purposes as all of our development servers were using a different domain name (that we didn't own at the time) from our live domain name.

Android - node_modules/@capacitor/android/capacitor/src/main/java/com/getcapacitor/Bridge.java

Find the existing webView.setWebViewClient(new WebViewClient() {...}); line. Line 207 for me.

   // Line #207
   webView.setWebViewClient(new WebViewClient() {
       // Add this override method
       @Override
       public void onReceivedSslError(WebView view, SslErrorHandler handler, >SslError error) {
           handler.proceed();
           return;
       }
       ...
   }

  iOS - Pods/Development Pods/Capacitor/CAPBridgeViewController.swift

   // Line #204
   // Add this public class method to the CAPBridgeViewController
   public func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
       let cred = URLCredential(trust: challenge.protectionSpace.serverTrust!)
       completionHandler(.useCredential, cred)
   }

Solution 4

You can set-up a https proxy for that staging server. Your app contact the https://proxy_to_staging_server.yourdomain.com with a valid certificate and proxy_to_staging_server.yourdomain.com make a back-end request to the real staging server and replicate the anwser

Share:
13,180

Related videos on Youtube

channa ly
Author by

channa ly

Former Senior Software Engineer @instedd, @sureswiftcapital. Co-Founder @bookmebus. Tech Lead @vtenh #rails #aws #api #docker #postgresql #elasticsearch #js I design, develop, and deploy applications in rails to AWS and App Store. Linkedin | Medium | Github

Updated on June 04, 2022

Comments

  • channa ly
    channa ly almost 2 years

    I am building a web and hybrid mobile app. The apps communicate with third party service using ssl self-sign cert in staging env. Desktop browsers allow to accept invalid cert with risk warning but in iOS app I got this error

    Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be "xxx" which could put your confidential information at risk.

    I understand the risk but as my third party provider can not provide valid ssl cert for the service in staging server so I have no choice.

    Is there any configs/possibilities to allow invalid ssl cert in iOS and android inappbrowser plugin.

    Really appreciate your help.

  • andreszs
    andreszs almost 5 years
    In [email protected] this solution still works, check my answer below.
  • yooneskh
    yooneskh over 2 years
    This does not work for capacitor anymore. see answer by @Abdul Fatir
  • dchappelle
    dchappelle over 2 years
    Worked for Capacitor 3 as well :)