Get rid of SSL verification in Cordova in app browser
Solution 1
iOS will always complain about invalid certificates, either in debug or release mode. To avoid this you should place the following code at the end of the AppDelegate.m file.
@implementation NSURLRequest(DataController) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end
For Cordova users this file is placed in
project/platforms/ios/Project/Classes/AppDelegate.m
Android (Cordova specific)
In Android the history is different. It will allow you to make requests to services with invalid certificates, but only if the app is compiled in build mode. On the other hand, when you would build the app in release mode (ie: to send the APK to a co-worker or stuff like that), the Cordova Web View, which is where the HTML + CSS + JS you wrote runs, will not allow you to make “insecure” requests. Once again, to avoid this you should modify a platform file. In this case the file will be CordovaWebViewClient.java
You would need to modify a method in the mentioned filed, like this:
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { final String packageName = this.cordova.getActivity().getPackageName(); final PackageManager pm = this.cordova.getActivity().getPackageManager(); ApplicationInfo appInfo; try { appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA); if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) { // debug = true handler.proceed(); return; } else { // debug = false // THIS IS WHAT YOU NEED TO CHANGE: // 1. COMMENT THIS LINE // super.onReceivedSslError(view, handler, error); // 2. ADD THESE TWO LINES // ----> handler.proceed(); return; // <---- } } catch (NameNotFoundException e) { // When it doubt, lock it out! super.onReceivedSslError(view, handler, error); } }
This file is placed in (Cordova v4 and below)
project/platforms/android/CordovaLib/src/org/apache/cordova/CordovaWebViewClient.java
In newer versions of Cordova (v5 and later) the file is now placed in
project/platforms/android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewClient.java
and
You should not use these solutions for production apps. This is just to test them or share them with co-workers.
Reference: Ignoring invalid SSL certificates on Cordova for Android and iOS
Solution 2
Thanks @Levi Murray.
For Capacitor 2.2.0, you need to tweak @Levi Murray answer.
Android - node_modules/@capacitor/android/capacitor/src/main/java/com/getcapacitor/BridgeWebViewClient.java
Add the override method with the other methods.
....
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed();
return;
}
Solution 3
Here's what worked for me using Capacitor
Note: I am changing dependency files, but I was only using this for development purposes as all of our development servers were using a different domain name (that we didn't own at the time) from our live domain name.
Android - node_modules/@capacitor/android/capacitor/src/main/java/com/getcapacitor/Bridge.java
Find the existing
webView.setWebViewClient(new WebViewClient() {...});
line. Line 207 for me.// Line #207 webView.setWebViewClient(new WebViewClient() { // Add this override method @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, >SslError error) { handler.proceed(); return; } ... }
iOS - Pods/Development Pods/Capacitor/CAPBridgeViewController.swift
// Line #204 // Add this public class method to the CAPBridgeViewController public func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { let cred = URLCredential(trust: challenge.protectionSpace.serverTrust!) completionHandler(.useCredential, cred) }
Solution 4
You can set-up a https proxy for that staging server. Your app contact the https://proxy_to_staging_server.yourdomain.com with a valid certificate and proxy_to_staging_server.yourdomain.com make a back-end request to the real staging server and replicate the anwser
Related videos on Youtube
channa ly
Former Senior Software Engineer @instedd, @sureswiftcapital. Co-Founder @bookmebus. Tech Lead @vtenh #rails #aws #api #docker #postgresql #elasticsearch #js I design, develop, and deploy applications in rails to AWS and App Store. Linkedin | Medium | Github
Updated on June 04, 2022Comments
-
channa ly almost 2 years
I am building a web and hybrid mobile app. The apps communicate with third party service using ssl self-sign cert in staging env. Desktop browsers allow to accept invalid cert with risk warning but in iOS app I got this error
Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be "xxx" which could put your confidential information at risk.
I understand the risk but as my third party provider can not provide valid ssl cert for the service in staging server so I have no choice.
Is there any configs/possibilities to allow invalid ssl cert in iOS and android inappbrowser plugin.
Really appreciate your help.
-
andreszs almost 5 yearsIn [email protected] this solution still works, check my answer below.
-
yooneskh over 2 yearsThis does not work for capacitor anymore. see answer by @Abdul Fatir
-
dchappelle over 2 yearsWorked for Capacitor 3 as well :)