Apache Cordova: Working with certificates on Android
Christian Karasiewicz 270005XS4E Visits (9803)
public void onRe
Potential solutions and problems therein
Now, in the real world, shipping an app in “debug” mode simply isn't going to fly. This becomes a problem when attempting to process a connection request and being presented with an SSUIC. Without modification to the above code, users must have a valid certificate available in order for the connection attempt to be successful. As is sometimes the case, you our your users may want to connect to an entity that is not set up with a valid certificate. A few solutions exist to help us work around or solve this problem. The first is an implementation which I don't ever want to see in production code. I have seen several blogs and forums suggest that developers simply write code to simply bypass the SSL Error and “accept” SSUICs. I don't think I need to go into detail on why this is bad idea - avoid this route at any cost. Our second option is more feasible, but still not ideal. It involves modifying and maintaining a custom version of Cordova with changes to this one little function. Doing this causes overhead in development as you'll need to spend time updating and retrofitting code into new versions of Cordova (along with maintaining builds for your version of Cordova). So this brings us to option three: Cordova plugins. Plugins can be written by developers to extend or add (or in our case enhance) functionality and features to their app. Plugins are bits of web and native code that allow developers to work a bit closer to the native layer without leaving the comfort of having a hybrid web app.
Solution of choice
So, we now know the problem, we have some initial information on the Cordova source code and we have some potential solutions. What now? Our chosen solution was to write a Cordova plugin that works to override Cordova's implementation of the
At this point, I assume you have a basic understanding of Cordova plugins so I won't be digging too far into our full implementation – I'll just be going over the core pieces that make this work. To start, you'll need to create a Java class that extends from eith
public void onRe
From here, you'll need to create, and set as default, your own custom Cord
Once this is done, you're ready to give things a spin. Now when attempting to connect to an entity with an SSUIC, a prompt should appear with the ability to continue or halt the connection.
While not a perfect solution, this does allow users to decide for themselves if they'd like to accept or reject invalid/untrusted certificates. With a little more work, you can provide more insightful information, such has the error received and certificate details, that will allow users to make a more informed decision when establishing connections. You can also investigate whether or not it's valuable to store your users' choices across app sessions by leveraging local storage.
Later down the road, we'd like to investigate getting such a solution integrated with the Cordova code base or at least be able to work with the Cordova folks to offer an official plugin of sorts. I hope you have found the information in this post to be of value and I hope it allows you to better serve and protect your users. That's all I have this time. Thanks for reading.
Matthew Alcorn is an iOS/Android Engineer and Mobile UX designer for IBM Flex System Manager. Follow Matthew on Twitter at @matthewralcorn.