Https connection with self signed certificate

franclopez · November 20, 2014, 3:02pm

Hi

I´m having issues consuming a REST service in a server which has a self signed certificate, I’m using the pluggin https://github.com/wymsee/cordova-HTTP.git and after copying the certificate in the app as the plugin indicates but then I get null response . In chrome if I test the service with the Advance Rest Client App, I need to accept previously in another tab the security warning because the self signed certificate and then I can call the service, Something like that is what I need to do but in my Ionic app. Any ideas?

Thanks in advance

Cheers

franclopez · November 20, 2014, 5:58pm

I figured it out.

For consuming services in servers with self signed certificates:

In iOS:

You need to open xcode and in project/platforms/ios/Project/Classes/AppDelegate.m append at the end of the AppDelegate.m file:

@implementation NSURLRequest(DataController)

(BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end

In android you need to modify a java class:

project/platforms/android/CordovaLib/src/org/apache/cordova/CordovaWebViewClient.java

public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
final String packageName = this.cordova.getActivity().getPackageName();
final PackageManager pm = this.cordova.getActivity().getPackageManager();

ApplicationInfo appInfo;
try {
appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA);
if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
// debug = true
handler.proceed();
return;
} else {
// debug = false
// THIS IS WHAT YOU NEED TO CHANGE:
// 1. COMMENT THIS LINE
// super.onReceivedSslError(view, handler, error);
// 2. ADD THESE TWO LINES
// ---->
handler.proceed();
return;
// <----
}
} catch (NameNotFoundException e) {
// When it doubt, lock it out!
super.onReceivedSslError(view, handler, error);
}
}

Regards

hanamj · January 30, 2015, 3:37pm

THANKS! This is obviously a really bad idea for production, but it makes life so much easier in our dev environment. Thank you kindly!

herve76 · July 7, 2015, 2:38pm

@hanamj why is that so bad for production. It’s not safe?

hanamj · July 7, 2015, 3:50pm

@herve76 Hmm… I’m no security expert, but it seems to me like someone could hijack your app’s connection and route the traffic to a compromised server with an invalid cert. The code change above tells the app that it’s OK to proceed with the connection if the server’s certificate is invalid for any reason. If you’re OK connecting to servers with cert problems, then you should be fine…but then why use SSL in the first place?

We need top security on the connection to protect the user’s data, so we can only use this hack in testing. It isn’t a problem for us in production, since our servers have valid certs.

I guess it comes down to your comfort level with the potential security hole & the sensitivity of your data. My two cents!

hanamj · July 13, 2015, 4:17pm

@franclopez It looks like the Android platform changed and this may have moved to project/platforms/android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewClient.java, but I’m having trouble with it…

Have you had to make any other changes beyond what’s in this thread?

Thanks!

hanamj · July 13, 2015, 8:03pm

Never mind, making the changes in that file worked perfectly.

franclopez · July 13, 2015, 8:22pm

Great I modified that file and works fine

franclopez · July 13, 2015, 8:30pm

Another and easy way in android is in the AndroidManifest.xml. Set in the application tag, the next property:

         android:debuggable="true"

sohel101091 · April 3, 2016, 6:24pm

The best way to get around this issue is to use SSL pinning. I have used the Intel App Security API plugin for the same. Their documentation explains the entire process. Hope this helps.

pevanooy · May 8, 2016, 12:14am

I am interested in using the Intel plugin for this. Would you be able to share some of the code? Thanks!

sohel101091 · June 16, 2016, 6:00pm

Here is a link to the code snippet from the documentation: https://software.intel.com/en-us/node/604523

I have used it in the exact same fashion. Can confirm that works on iOS.

The FAQ (https://software.intel.com/en-us/node/564384) shows how to extract the public key and also how to use it within the emulator if using Intel XDK as IDE.

dredondo · March 28, 2017, 9:35am

I use HTTP ionic native plugin
and set it with this methods:

import { HTTP } from '@ionic-native/http';
@Injectable()
export class ServerApi {
  headers: Headers;
  constructor(private http: HTTP) {
     this.http.validateDomainName(false)
     this.http.acceptAllCerts(true)
  }
}