Test onReceiveSSLError

Question

I fixed the vulnerability with the implementation of the WebViewClient.onReceivedSslError handler in my Android project but I would like to know how can I test it.

Previously my code was:

 @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        Log.d("message","message");
        handler.proceed(); // Ignore SSL certificate errors
    }

and after my fix is:

  @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
        Log.d("a message","a message");

        final AlertDialog.Builder builder = new AlertDialog.Builder(view.getContext());
        builder.setTitle("Error");
        builder.setMessage("Certificate is invalid");
        builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
            @Override
            public void onClick(DialogInterface dialog, int which) {
                handler.proceed();
            }
        });
        builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
            @Override
            public void onClick(DialogInterface dialog, int which) {
                handler.cancel();
            }
        });
        final AlertDialog dialog = builder.create();
        dialog.show();
    }

For example can I modify the host in android emulator in order to point to a page that can throw ssl exception?

score 2 · Accepted Answer · answered Sep 13 '18 at 09:16

2

You can generate an error by following steps:

Get webViewClient for your webview
Intercept the request by shouldInterceptRequest() method of webViewClient
Create a sslError and return from here
It will go to OnReceivedSslError method

answered Sep 13 '18 at 09:16

Surendra Kumar

2,587
1
10
10

Can you please me help how to create a sslErrror within shouldInterceptRequest() method? The definition of the method says that the return type should be WebResourceResponse. – Dimitris Baltas Sep 13 '18 at 11:53
1

Put a call to super.onReceivedSslError(view, new SslErrorHandler(), new SslError(SslError.SSL_INVALID, null)); in shouldInterceptRequest() method. This will run your test scenario. – Surendra Kumar Sep 13 '18 at 13:43
Thanks for your response! I tried but it says that 'SslErrorHandler()' is not public in 'android.webkit.SslErrorHandler'. Cannot be accessed from outside package. Any ideas? – Dimitris Baltas Sep 13 '18 at 14:26
2

I just checked. Keep it simple. Just call super.onReceivedSslError(view, null, null); in shouldInterceptRequest() method. This will run your test scenario. – Surendra Kumar Sep 13 '18 at 15:05

Test onReceiveSSLError

1 Answers1