Android WebView和网络安全配置 [英] Android WebView and network-security-configuration

问题描述

我正在使用Android 8(26 API，Oreo)进行开发，并且在我的应用中使用了android.webkit.WebView.

I'm developing on Android 8 (26 API, Oreo) and I use android.webkit.WebView in my app.

当我用WebView加载页面时，我将实现安全网络连接"(换句话说，我将避免中间人问题和自签名证书)

I would implement "secure network connection" when I load pages with my WebView (in other words I would avoid man-in-the-middle problems and self-signed certificates)

为此，我使用了网络安全配置(在Android上为7.0 N，API为24)

To do this I used network security configuration (on Android from version 7.0 N, 24 API)

所以:

在res>xml>network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">MY_DOMAIN.com</domain>
        <pin-set>
            <pin digest="SHA-256">MY_PIN</pin>
        </pin-set>
    </domain-config>
</network-security-config>

我发现MY_PIN在此处插入MY_DOMAIN.com: https://report-uri.com/主页/pkp_hash

在manifest>AndoridManifest.xml

...
 <application
        android:networkSecurityConfig="@xml/network_security_config"
...
 </application>

在我的应用程序的onCreate中，我简单地做:

In the onCreate of my app I simply do:

WebView webView = new WebView(this);
webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(..)..
    @Override
    public void onPageFinished()..
    ...});
webView.loadUrl(MY_DOMAIN.com);

根据Android文档，我做对了，但是我遇到了一个问题:就像从未检查过network_security_config.xml一样，因为我可以为该图钉设置每个随机"和错误"的值，并且它可以正常工作(URL MY_DOMAIN.com正常加载而没有阻塞行为).

According to Android docs I'm doing it right but I have a problem: it's like network_security_config.xml is never checked because I can set every "random" and "wrong" value for the pin and it works normally (URL MY_DOMAIN.com is loaded normally without blocking behavior).

因此，这意味着如果某个中间人返回我在res>xml>network_security_config.xml中编写的那些不同的引脚，则该应用程序将继续正常运行，并且没有任何安全行为. 它也不会执行WebViewClient的覆盖错误方法之一.

So that means that if some man-in-the-middle return back one different pin of those I've written in res>xml>network_security_config.xml the application continue running well and with no secure behavior. It also does not execute one of the overridden error method of WebViewClient.

请帮助我无法理解我的错误.

Please help I can not understand my error.

推荐答案

[已解决]

在AndoridManifest.xml中，我声明了

In AndoridManifest.xml I declared

 <application
        android:networkSecurityConfig="@xml/network_security_config"
 ...
 </application>

编辑器警告有关SDK版本的问题，但我没有看到. 这是警告.

Editor warned about a problem related to the SDK version but I didn't see it. This is the warning.

[解决方案]

将此tools:targetApi="n"添加到清单中，如下所示:

Add this tools:targetApi="n" to the Manifest like the following:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ...
    tools:targetApi="n">

SSL错误在WebViewClient的public void onReceivedSslError(...)中处理(请参见以下代码)

SSL error is handled in public void onReceivedSslError(...) of WebViewClient (See the following code)

  webView.setWebViewClient(new WebViewClient() {
            public void onReceivedSslError(WebView view, 
                final SslErrorHandler handler, SslError error) {
                     //HANDLE HERE THE ERROR!!!
                ...
            }
        ...
  });

这篇关于Android WebView和网络安全配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！