Handling certificate errors in Android Webview and clearing the certificate peferences
I am trying to find a proper way to handle SSL certificate errors in the Android Webview. My goal is to provide a way to load pages with SSL certificate errors, but let the user choose to load the page after warning him about security any time he tries to load a URL with certificate errors.
The closest solutions I found in threads suggest overriding the WebViewClient as following:
webView.setWebViewClient(new WebViewClient() {
@Override
public void onReceivedSslError(final WebView view, final SslErrorHandler handler, final SslError error) {
handler.proceed();
}
});
However this basically disables SSL in the WebView without the user consent.
For reference here are the threads where I found that solution:
Android WebView SSL 'Security Warning'
Does the Web View on Android support SSL?
Android WebView not loading an HTTPS URL
android webview with client certificate
Web view shows blank/white page after loading URL when using WIFI in Android
Unable to load a specific webpage on Android webview
WebView displays a blank view for certain links
Android WebView blocks redirect from https to http
Ignore ssl certificate requests in webview
I went ahead and implemented a slightly different version which prompts the user:
webView.setWebViewClient(new WebViewClient() {
@Override
public void onReceivedSslError(final WebView view, final SslErrorHandler handler, final SslError error) {
//Showing a first confirmation dialog
AndroidUtils.showYesNoDialog(
//First confirmation message
"WARNING - THIS PAGE IS NOT SECURE! Are you sure you want to continue loading it?",
//First confirmation "YES" option runnable
new Runnable() {
@Override
public void run() {
//Showing a second confirmation dialog
AndroidUtils.showYesNoDialogWithResId(
//Second confirmation message
"You chose to load an unsecure page, are you sure you want to do that?",
//Second confirmation "YES" option runnable
new Runnable() {
@Override
public void run() {
//Disregard the error and proceed with the bad certificate anyways
handler.proceed();
}
},
//Second confirmation "NO" option runnable
new Runnable() {
@Override
public void run() {
//Cancel loading the page with that certificate error
handler.cancel();
}
}
);
}
},
//First confirmation "NO" option runnable
new Runnable() {
@Override
public void run() {
//Cancel loading the page with that certificate error
handler.cancel();
}
});
}
});
This implementation asks the user twice if he wants to load the page, if he says yes twice, then the error is disregarded and the page loads, otherwise the page loading is canceled.
The first time a URL with certificate error loads, WebViewClient.onReceivedSslError is called, however if the user proceeds with the certificate error and SslErrorHandler.proceed() is called, the following times the same URL loads, WebViewClient.onReceivedSslError is never called again: only killing the app resets this behavior.
I would want WebViewClient.onReceivedSslError to be called systematically when a URL with a certificate error loads, not just the first time. I tried calling those methods without success:
/** JAVADOC QUOTE: Clears the SSL preferences table stored in response to proceeding with SSL certificate errors.*/
webView.clearSslPreferences();
//Those other methods I tried out of despair just in case
webView.clearFormData();
webView.clearCache(true);
webView.clearHistory();
webView.clearMatches();
Does anybody know how to make the WebView call WebViewClient.onReceivedSslError more than once for the same URL, after SslErrorHandler.proceed() has been called?
Answer
Do not ever override onReceivedSslError method. Goole play will reject your upload smartest way is to handle SSL error use webSettings.setDomStorageEnabled(true);