Get rid of SSL verification in Cordova in app browser

cordova ssl https inappbrowser
channa ly picture channa ly · Aug 10, 2016 · Viewed 9.5k times · Source

I am building a web and hybrid mobile app. The apps communicate with third party service using ssl self-sign cert in staging env. Desktop browsers allow to accept invalid cert with risk warning but in iOS app I got this error

I understand the risk but as my third party provider can not provide valid ssl cert for the service in staging server so I have no choice.

Is there any configs/possibilities to allow invalid ssl cert in iOS and android inappbrowser plugin.

Really appreciate your help.

Answer

dmn picture dmn · Mar 31, 2017

iOS will always complain about invalid certificates, either in debug or release mode. To avoid this you should place the following code at the end of the AppDelegate.m file.

@implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}
@end

For Cordova users this file is placed in

project/platforms/ios/Project/Classes/AppDelegate.m

Android (Cordova specific)

In Android the history is different. It will allow you to make requests to services with invalid certificates, but only if the app is compiled in build mode. On the other hand, when you would build the app in release mode (ie: to send the APK to a co-worker or stuff like that), the Cordova Web View, which is where the HTML + CSS + JS you wrote runs, will not allow you to make “insecure” requests. Once again, to avoid this you should modify a platform file. In this case the file will be CordovaWebViewClient.java

You would need to modify a method in the mentioned filed, like this:

public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
  final String packageName = this.cordova.getActivity().getPackageName();
  final PackageManager pm = this.cordova.getActivity().getPackageManager();

  ApplicationInfo appInfo;
  try {
    appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA);
    if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
      // debug = true
      handler.proceed();
      return;
    } else {
      // debug = false
      // THIS IS WHAT YOU NEED TO CHANGE:
      // 1. COMMENT THIS LINE
      // super.onReceivedSslError(view, handler, error);
      // 2. ADD THESE TWO LINES
      // ---->
      handler.proceed();
      return;
      // <----
    }
  } catch (NameNotFoundException e) {
    // When it doubt, lock it out!
    super.onReceivedSslError(view, handler, error);
  }
}

This file is placed in (Cordova v4 and below)

project/platforms/android/CordovaLib/src/org/apache/cordova/CordovaWebViewClient.java

In newer versions of Cordova (v5 and later) the file is now placed in

project/platforms/android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewClient.java

and

You should not use these solutions for production apps. This is just to test them or share them with co-workers.

Reference: Ignoring invalid SSL certificates on Cordova for Android and iOS

Related questions

Crosswalk Error about "Request was denied for security"

I use cordova 6.3.1 and crosswalk of cordova plugin 2.1.0 in Android App. I use self certification in server. When I send http post request from cordova app to server, "Request was denied for security" message appeared in screen bottom possion and …

Read More
Error: ANDROID_HOME is not set and "android" command not in your PATH. You must fulfill at least one of these conditions.

I'm trying to install PhoneGap and I'm getting the following error: Error: ANDROID_HOME is not set and "android" command not in your PATH. You must fulfill at least one of these conditions. Error (screenshot) What do I do to …

Read More
How To Save Canvas As An Image With canvas.toDataURL()?

I'm currently building a HTML5 web app/Phonegap native app and I can't seem to figure out how to save my canvas as an image with canvas.toDataURL(). Can somebody help me out? Here's the code, what's wrong with it? //…

Read More