Method of verifying SSL certificate by WebView of Android App

The Android system is seriously fragmented, and webviewclient cannot access HTTPS sites due to incorrect mobile phone date, abnormal mobile phone root certificate, com.google.android.webview bug and other reasons. The handling of SSL errors is very critical. If not handled properly, it may lead to man in the middle attack, hackers eavesdropping on data, and then lead to security accidents.

It is particularly important to handle onreceivedsslerror rigorously. Please refer to the following code. The principle is: if WebView reports SSL error, the program will perform strong verification on the server certificate. If the fingerprint (sha256) of the certificate passed in by the server is consistent with the record value, it indicates that there are defects in the WebView verification process (such as wrong mobile phone date, deleted root certificate, etc.), and the SSL error is ignored; If the certificate matching fails, it indicates that there is a problem with the data communication, and the blocking is reserved.

Please click here to get the fingerprint of the certificate (sha256), then adjust the MySSLCNSHA256 array variable in the code. If the app needs to access multiple certificates, please add multiple certificate fingerprint values to the code. When testing the code, please set the mobile phone date before the validity period of the certificate to judge whether WebView can normally access the HTTPS site.

The above is the method of verifying SSL Certificate in WebView of android app. I hope you can support programming tips in the future. I suggest you continue to browse the next article for more highlights.