android webview with client certificate

user2202628 picture user2202628 · Mar 23, 2013 · Viewed 40.8k times · Source

I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?

Answer

Rick77 picture Rick77 · Mar 23, 2013

Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.

Using a Android WebView to connect to secure server with Client Certificate

A search in the Android Security Discussions confirms that the call is indeed not available:

https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J

and even though

The Android 4.0 release does include support for client certificate authentication in the browser.

(ref: https://code.google.com/p/android/issues/detail?id=8196)

no mention about WebViews is made :(

Even though there are some new API to load certificates in a Keychain:

http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html

it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).

If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:

Solution 1:

use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):

https://code.google.com/p/android/issues/detail?id=53491

However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.

Solution 2:

If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:

Load local HTML file into WebView

but i strongly doubt that the webview will behave as the browser does...

Solution 3: (which should work but requires a lot of effort)

Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:

http://chariotsolutions.com/blog/post/https-with-client-certificates-on/

You have my sympathy.