cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Mon, 13 Jan 2014 22:13:21 GMT
On Mon, Jan 13, 2014 at 2:00 PM, Tommy-Carlos Williams
<> wrote:
> Marcel,
> Well, I was hoping it would not come down to custom TrustManagers. I was hoping to hook
into the CordovaWebViewClient’s shouldInterceptRequest().
> I realise this is in API 11+, but don’t know of another way off the top of my head
(was hoping this thread could help, yay).
> Is the issue related to that “security hole” thread where the whitelist isn’t checked
with ajax/xhr on API < 11 ?

Yup.  There's no such thing as shouldInterceptRequest() in
Gingerbread.  I think we should just assume that anyone who owns a
Gingerbread phone is already owned based on the tons of other known
security flaws on that device and just move on.

> On 14 Jan 2014, at 8:53 am, Marcel Kinard <> wrote:
>> I am curious how this would be implemented on Android. If you construct an SSLSocketFactory
with your private TrustManager that contains the pinned cert, how do you get the Android webview
to use that SSLSocketFactory?

View raw message