androidandroid-webviewandroid-network-security-config

Android WebView and network-security-configuration


I'm developing on Android 8 (26 API, Oreo) and I use android.webkit.WebView in my app.

I would implement "secure network connection" when I load pages with my WebView (in other words I would avoid man-in-the-middle problems and self-signed certificates)

To do this I used network security configuration (on Android from version 7.0 N, 24 API)

So:

In res>xml>network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">MY_DOMAIN.com</domain>
        <pin-set>
            <pin digest="SHA-256">MY_PIN</pin>
        </pin-set>
    </domain-config>
</network-security-config>

I found MY_PIN inserting MY_DOMAIN.com here: https://report-uri.com/home/pkp_hash

In manifest>AndoridManifest.xml

...
 <application
        android:networkSecurityConfig="@xml/network_security_config"
...
 </application>

In the onCreate of my app I simply do:

WebView webView = new WebView(this);
webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(..)..
    @Override
    public void onPageFinished()..
    ...});
webView.loadUrl(MY_DOMAIN.com);

According to Android docs I'm doing it right but I have a problem: it's like network_security_config.xml is never checked because I can set every "random" and "wrong" value for the pin and it works normally (URL MY_DOMAIN.com is loaded normally without blocking behavior).

So that means that if some man-in-the-middle return back one different pin of those I've written in res>xml>network_security_config.xml the application continue running well and with no secure behavior. It also does not execute one of the overridden error method of WebViewClient.

Please help I can not understand my error.


Solution

  • [SOLVED]

    In AndoridManifest.xml I declared

     <application
            android:networkSecurityConfig="@xml/network_security_config"
     ...
     </application>
    

    Editor warned about a problem related to the SDK version but I didn't see it. This is the warning.

    [SOLUTION]

    Add this tools:targetApi="n" to the Manifest like the following:

    <application
        android:networkSecurityConfig="@xml/network_security_config"
        ...
        tools:targetApi="n">
    

    [EDIT]

    SSL error is handled in public void onReceivedSslError(...) of WebViewClient (See the following code)

      webView.setWebViewClient(new WebViewClient() {
                public void onReceivedSslError(WebView view, 
                    final SslErrorHandler handler, SslError error) {
                         //HANDLE HERE THE ERROR!!!
                    ...
                }
            ...
      });