Phonegap/Cordova whitelisted cross domain SSL request not working after exporting APK

Question

I have created a phonegap app which needs to communicate with a self signed SSL service.

I whitelisted my url in res/xml/cordova.xml like so:

<access origin="https://www.mydomain.com" subdomains="true" />

and this works fine when I run and build from eclipse but if I then export and sign my app and manually install the APK then the app is unable to communicate with my web service.

The communication with the server is carried out using the Sencha Touch library like so:

Ext.Ajax.request({
        url: 'https://www.mydomain.com',
        method: 'get',          
        success: function(result) {                 
        },
        failure: function(result) {         
        }           
    }); 

Any help much appreciated

Answer 1

The problem is you are using a self-signed cert. The Android WebView does not allow by default self-signed SSL certs. PhoneGap/Cordova overrides this in the CordovaWebViewClient class but does not deviate its behaviour by much; if the app is debug-signed, it will proceed and ignore the error, otherwise it will fail.

You could change the above-linked to code in your application and make the onReceivedSslError method always call handler.proceed() - but this isn't recommended. Don't use a self-signed certificate!

Answer 2

I did the following to get around the restriction (currently using Cordova 1.7.0). This is definitely inherently insecure:

public class MyWebViewClient extends CordovaWebViewClient {

    public MyWebViewClient(DroidGap ctx) {
        super(ctx);
    }

    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        // testing against getPrimaryError() or hasErrors() will fail on Honeycomb or older.
        // You might check for something different, such as specific info in the certificate,
        //if (error.getPrimaryError() == SslError.SSL_IDMISMATCH) {
            handler.proceed();
        //} else {
        //    super.onReceivedSslError(view, handler, error);
        //}
    }
}

and then in the main activity:

@Override
public void init() {
    super.init();

    //pass in our webviewclient to override SSL error
    this.setWebViewClient(this.appView, new MyWebViewClient(this));
}