Android WebView和网络安全配置 [英] Android WebView and network-security-configuration
问题描述
我正在使用Android 8(26 API,Oreo)进行开发,并且在我的应用中使用了android.webkit.WebView
.
I'm developing on Android 8 (26 API, Oreo) and I use android.webkit.WebView
in my app.
当我用WebView
加载页面时,我将实现安全网络连接"(换句话说,我将避免中间人问题和自签名证书)
I would implement "secure network connection" when I load pages with my WebView
(in other words I would avoid man-in-the-middle problems and self-signed certificates)
为此,我使用了网络安全配置(在Android上为7.0 N,API为24)
To do this I used network security configuration (on Android from version 7.0 N, 24 API)
所以:
在res>xml>network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">MY_DOMAIN.com</domain>
<pin-set>
<pin digest="SHA-256">MY_PIN</pin>
</pin-set>
</domain-config>
</network-security-config>
我发现MY_PIN
在此处插入MY_DOMAIN.com
: https://report-uri.com/主页/pkp_hash
在manifest>AndoridManifest.xml
...
<application
android:networkSecurityConfig="@xml/network_security_config"
...
</application>
在我的应用程序的onCreate中,我简单地做:
In the onCreate of my app I simply do:
WebView webView = new WebView(this);
webView.setWebViewClient(new WebViewClient() {
@Override
public void onReceivedSslError(..)..
@Override
public void onPageFinished()..
...});
webView.loadUrl(MY_DOMAIN.com);
根据Android文档,我做对了,但是我遇到了一个问题:就像从未检查过network_security_config.xml
一样,因为我可以为该图钉设置每个随机"和错误"的值,并且它可以正常工作(URL MY_DOMAIN.com
正常加载而没有阻塞行为).
According to Android docs I'm doing it right but I have a problem: it's like network_security_config.xml
is never checked because I can set every "random" and "wrong" value for the pin and it works normally (URL MY_DOMAIN.com
is loaded normally without blocking behavior).
因此,这意味着如果某个中间人返回我在res>xml>network_security_config.xml
中编写的那些不同的引脚,则该应用程序将继续正常运行,并且没有任何安全行为.
它也不会执行WebViewClient
的覆盖错误方法之一.
So that means that if some man-in-the-middle return back one different pin of those I've written in res>xml>network_security_config.xml
the application continue running well and with no secure behavior.
It also does not execute one of the overridden error method of WebViewClient
.
请帮助我无法理解我的错误.
Please help I can not understand my error.
推荐答案
[已解决]
在AndoridManifest.xml中,我声明了
In AndoridManifest.xml I declared
<application
android:networkSecurityConfig="@xml/network_security_config"
...
</application>
编辑器警告有关SDK版本的问题,但我没有看到. 这是警告.
Editor warned about a problem related to the SDK version but I didn't see it. This is the warning.
[解决方案]
将此tools:targetApi="n"
添加到清单中,如下所示:
Add this tools:targetApi="n"
to the Manifest like the following:
<application
android:networkSecurityConfig="@xml/network_security_config"
...
tools:targetApi="n">
SSL错误在WebViewClient
的public void onReceivedSslError(...)
中处理(请参见以下代码)
SSL error is handled in public void onReceivedSslError(...)
of WebViewClient
(See the following code)
webView.setWebViewClient(new WebViewClient() {
public void onReceivedSslError(WebView view,
final SslErrorHandler handler, SslError error) {
//HANDLE HERE THE ERROR!!!
...
}
...
});
这篇关于Android WebView和网络安全配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!