Android WebView and network-security-configuration

Question

I'm developing on Android 8 (26 API, Oreo) and I use android.webkit.WebView in my app.

I would implement "secure network connection" when I load pages with my WebView (in other words I would avoid man-in-the-middle problems and self-signed certificates)

To do this I used network security configuration (on Android from version 7.0 N, 24 API)

So:

In res>xml>network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">MY_DOMAIN.com</domain>
        <pin-set>
            <pin digest="SHA-256">MY_PIN</pin>
        </pin-set>
    </domain-config>
</network-security-config>

I found MY_PIN inserting MY_DOMAIN.com here: https://report-uri.com/home/pkp_hash

In manifest>AndoridManifest.xml

...
 <application
        android:networkSecurityConfig="@xml/network_security_config"
...
 </application>

In the onCreate of my app I simply do:

WebView webView = new WebView(this);
webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(..)..
    @Override
    public void onPageFinished()..
    ...});
webView.loadUrl(MY_DOMAIN.com);

According to Android docs I'm doing it right but I have a problem: it's like network_security_config.xml is never checked because I can set every "random" and "wrong" value for the pin and it works normally (URL MY_DOMAIN.com is loaded normally without blocking behavior).

So that means that if some man-in-the-middle return back one different pin of those I've written in res>xml>network_security_config.xml the application continue running well and with no secure behavior. It also does not execute one of the overridden error method of WebViewClient.

Please help I can not understand my error.

Samuel Adorni · Accepted Answer · 2019-05-06T10:02:11.890

3

[SOLVED]

In AndoridManifest.xml I declared

 <application
        android:networkSecurityConfig="@xml/network_security_config"
 ...
 </application>

Editor warned about a problem related to the SDK version but I didn't see it. This is the warning.

[SOLUTION]

Add this tools:targetApi="n" to the Manifest like the following:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ...
    tools:targetApi="n">

[EDIT]

SSL error is handled in public void onReceivedSslError(...) of WebViewClient (See the following code)

  webView.setWebViewClient(new WebViewClient() {
            public void onReceivedSslError(WebView view, 
                final SslErrorHandler handler, SslError error) {
                     //HANDLE HERE THE ERROR!!!
                ...
            }
        ...
  });

edited May 06 '19 at 10:02

answered May 06 '19 at 09:56

Samuel Adorni

208
2
14

Thanks, for me this only works in a real device， not work on emulators – Fangxing May 19 '21 at 03:01
I'm having issues with WebChromeClient. How would you track onReceivedSslError on WebChromeClient ? – Ilker Baltaci Jun 01 '23 at 12:07
1

@IlkerBaltaci I think you have to create the WebView and set on it both the WebViewClient and the WebChromeClient. In other words, it is not correct to say that "you receive the error on the WebChromeClient". You receive the error on the WebView. And to handle it you have to set the WebViewClient and do the explained. – Samuel Adorni Jun 20 '23 at 14:43

Android WebView and network-security-configuration

1 Answers1

Linked