I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?
Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.
Using a Android WebView to connect to secure server with Client Certificate
A search in the Android Security Discussions confirms that the call is indeed not available:
https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J
and even though
The Android 4.0 release does include support for client certificate authentication in the browser.
(ref: https://code.google.com/p/android/issues/detail?id=8196)
no mention about WebViews is made :(
Even though there are some new API to load certificates in a Keychain:
http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html
it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).
If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:
Solution 1:
use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):
https://code.google.com/p/android/issues/detail?id=53491
However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.
Solution 2:
If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:
Load local HTML file into WebView
but i strongly doubt that the webview will behave as the browser does...
Solution 3: (which should work but requires a lot of effort)
Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:
http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
You have my sympathy.
1.4m articles
1.4m replys
5 comments
56.9k users
