0

I'm needing to display an internal website I'm working on in an Android app that uses the Android System WebView "browser". The site's SSL works correctly in Chrome on Android, Linux, and Windows, but when I open the page using an app that implements WebView it returns an SSL error. The site is being served with Nginx and is using our company wildcard SSL certificate from GoDaddy. I've tested on Android devices running Android 7.1, 8.0, and 8.1. I also compiled the latest version of WebView from source and installed it on one device to confirm that an old version wasn't causing the issue. I a ran the TestSSLServer program against the site and didn't get any warnings. Here is my Nginx config: 

server {
    listen 443 ssl http2;
    server_name subdomain.example.com;
    root /websites/subdomain.example.com;

    ssl_certificate /etc/ssl/certs/wildcard_cert.crt;
    ssl_certificate_key /etc/ssl/private/wildcard_key.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout  10m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    # add_header X-Frame-Options DENY;
    # add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################


    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    # add_header X-Frame-Options "SAMEORIGIN";
    # add_header X-XSS-Protection "1; mode=block";
    # add_header X-Content-Type-Options "nosniff";
    # add_header Access-Control-Allow-Origin *;
    # add_header Access-Control-Allow-Methods "GET, OPTIONS";
    # add_header Access-Control-Allow-Headers "Authorization";
    # add_header Access-Control-Allow-Credentials "true";

    index index.html index.htm;

    # kill cache
    add_header Last-Modified $date_gmt;
    add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
    if_modified_since off;
    expires off;
    etag off;

    charset utf-8;

    location / {
        try_files $uri /index.html;
    }

    location = /index.html {
        expires 30s;
    }

}

Thanks in advance for any help.

Improve this question

1 Answer 1

Reset to default
1

Please add the following in your webview 

webView.enableJavaScript();
webView.getSettings().setDomStorageEnabled(true);
webView.getSettings().setJavaScriptCanOpenWindowsAutomatically(true);
webView.setWebViewClient(new WebViewClient(){
        @Override
        public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {

        }
    });
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The WebView app I'm using isn't one that I wrote; I could write a basic one to test with if needed. The plan is to use the Fully Kiosk app so we don't have to write our own. I've also tested with a couple of other WebView based apps from the Play Store.
Is there any specific reason to use Fully Kiosk app ? If not you can use google chrome custom tabs, which will give more control over the UI. developer.chrome.com/multidevice/android/customtabs
Well the idea is to have dedicated kiosks that just show the one web app. Fully Kiosk provides a way to lock down Android to a single web page; I could roll my own app to do this but I'm trying to avoid that for now.
@tnpeel were you able to fix this? I'm also trying to use Fully kiosk app to display my website on the tablet.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.