cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Tue, 14 Jan 2014 02:28:46 GMT
Implementation notes that come to mind:

I think this will actually be impossible to do on Android :(.
shouldInterceptRequest is the closest thing you'd need, as it's your
hook for overriding network requests. However, it exposes only the URL
that is being requests. Not the HTTP method, not any request headers,
not the request payload. :(. You could add it in for FileTransfer
though. You could also add it in using a strange different API (e.g.
set headers, method, payload using exec(), then use an XHR to fire the
request). For GET requests, it matters less since you can get the
Cookies for it, but still are lacking custom headers.

URLProtocol is the way to go. As long as the URL is whitelisted,
Cordova's won't touch it and your registered protocol will pick it up.
CDVProtocol should at least provide a helper method for mapping a
request to a UIWebView though. But I do think multiple URLProtocol
handlers will work fine.
>From past experience, if you use NSURLConnection to implement all
UIWebView requests, then it will work just fine... except for hanging
gets. NSURLConnection buffers responses and so won't trickle data down
to you as it comes, which hanging gets require. Not a big deal...
unless you want to use a hanging get.

On Mon, Jan 13, 2014 at 5:13 PM, Joe Bowser <> wrote:
> On Mon, Jan 13, 2014 at 2:00 PM, Tommy-Carlos Williams
> <> wrote:
>> Marcel,
>> Well, I was hoping it would not come down to custom TrustManagers. I was hoping to
hook into the CordovaWebViewClient’s shouldInterceptRequest().
>> I realise this is in API 11+, but don’t know of another way off the top of my head
(was hoping this thread could help, yay).
>> Is the issue related to that “security hole” thread where the whitelist isn’t
checked with ajax/xhr on API < 11 ?
> Yup.  There's no such thing as shouldInterceptRequest() in
> Gingerbread.  I think we should just assume that anyone who owns a
> Gingerbread phone is already owned based on the tons of other known
> security flaws on that device and just move on.
>> On 14 Jan 2014, at 8:53 am, Marcel Kinard <> wrote:
>>> I am curious how this would be implemented on Android. If you construct an SSLSocketFactory
with your private TrustManager that contains the pinned cert, how do you get the Android webview
to use that SSLSocketFactory?

View raw message