Phonegap/Cordova whitelisted cross domain SSL request not working after exporting APK

Question

I have created a phonegap app which needs to communicate with a self signed SSL service.

I whitelisted my url in res/xml/cordova.xml like so:

Answer 1

I did the following to get around the restriction (currently using Cordova 1.7.0). This is definitely inherently insecure:

public class MyWebViewClient extends CordovaWebViewClient {

    public MyWebViewClient(DroidGap ctx) {
        super(ctx);
    }

    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        // testing against getPrimaryError() or hasErrors() will fail on Honeycomb or older.
        // You might check for something different, such as specific info in the certificate,
        //if (error.getPrimaryError() == SslError.SSL_IDMISMATCH) {
            handler.proceed();
        //} else {
        //    super.onReceivedSslError(view, handler, error);
        //}
    }
}

and then in the main activity:

@Override
public void init() {
    super.init();

    //pass in our webviewclient to override SSL error
    this.setWebViewClient(this.appView, new MyWebViewClient(this));
}

Answer 2

The problem is you are using a self-signed cert. The Android WebView does not allow by default self-signed SSL certs. PhoneGap/Cordova overrides this in the CordovaWebViewClient class but does not deviate its behaviour by much; if the app is debug-signed, it will proceed and ignore the error, otherwise it will fail.

You could change the above-linked to code in your application and make the onReceivedSslError method always call handler.proceed() - but this isn't recommended. Don't use a self-signed certificate!