Android - Mutual Authentication Using WebView

Hi all,
I am back with new and a great challenge in the android application.
Using the WebView and send the client certificate.
Confused???

Now start searching over the internet and go line by line of the API documentation of the WebView but after spending 2-3-4...8 days where are we... No solution on the internet.

Now start doing reverse engineering. Go to the source of android WebView and finally at a corner you will find that HTTPS connection is being used by Android OS in low level.

Again after a long search you will find that android.net.http.HttpsConnection class is being used by WebView for all the https connection. When you start looking the code of this class you will find that it always sends the hard coded value as null for client certificate in static variable "mSslSocketFactory". So we are again stuck to solve this problem.

Here comes the Java Reflection which can be used to solve this problem. If android has not revealed any API to set this variable then use reflection to set your client certificate which will be recognized by server.
Below source tells how can it be achieved.

Initialize WebView and before calling the

webview.loadUrl("https://www.myserver.com");
call the below method code.

    private void setClientCertificateConnectionPicker(InputStream input, String password) {

        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory
                    .getInstance("X509");
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(input, password);
            keyManagerFactory.init(keyStore, "changeit".toCharArray());
            TrustManager[] trustAllCerts = new TrustManager[] {
                new X509TrustManager() {

                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        Log.d(TAG, "getAcceptedIssuers--Checking issuers");
                        return null;
                    }

                    public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                        Log.d(TAG, "checkClientTrusted--Checking client authentication");
                    }

                    public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
   //Validate your server here
                        for (int i = 0; i < certs.length; i++) {
                            Log.d(TAG, "\t" + certs[i].getIssuerX500Principal().getName());
                            Log.d(TAG, "\t" + certs[i].getIssuerDN().getName());
                        }
                    }
                }
            };

            SSLContext sc = SSLContext.getInstance("TLS");
            sc.init(keyManagerFactory.getKeyManagers(), trustAllCerts, new java.security.SecureRandom());
            // BELOW STATMENTS USES JAVA REFLECTION TO SET THE CLIENT
            // CERTIFICATE AS
            // SSL SOCKET FACTORY.

            Class c = Class.forName("android.net.http.HttpsConnection");
            Field[] fieldlist = c.getDeclaredFields();
            for (int i = 0; i < fieldlist.length; i++) {
                Field fld = fieldlist[i];
                if (fld.getName().equals("mSslSocketFactory")) {
                    fld.setAccessible(true);
                    fld.set(null, sc.getSocketFactory());
                }
            }
        } catch (ClassNotFoundException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- Class not found", e);
        } catch (IllegalArgumentException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- IllegalArgumentException", e);
        } catch (IllegalAccessException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- IllegalAccessException", e);
        } catch (NoSuchAlgorithmException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- NoSuchAlgorithmException", e);
        } catch (KeyStoreException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- KeyStoreException", e);
        } catch (CertificateException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- CertificateException", e);
        } catch (IOException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- IOException", e);
        } catch (UnrecoverableKeyException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- UnrecoverableKeyException", e);
        } catch (KeyManagementException e) {
            Log.e(TAG, "--setClientCertificateConnectionPicker-- KeyManagementException", e);
        }

    }

And here you go.

Write me for any issue in this.

Three Cheers to Authentication!!!

Android - Orientation lock on hard keyboard open/closed

Hi... I am back with a new problem and its solution.
I was struggling with the requirement where I had to lock the screens orientation with respect to the hard keyboard open/closed state. The problem was to lock the orientation in landscape when hard keyboard is open and lock the orientation in portrait when hard keyboard is closed.

Small trick might work.
put the below code in your activity you want to achieve this.

@Override
public void onConfigurationChanged(Configuration newConfig) {
    super.onConfigurationChanged(newConfig);
    switch (newConfig.hardKeyboardHidden) {
    case Configuration.HARDKEYBOARDHIDDEN_YES:
        setRequestedOrientation(ActivityInfo.SCREEN_ORIENTATION_PORTRAIT);
        break;
    case Configuration.HARDKEYBOARDHIDDEN_NO:
        setRequestedOrientation(ActivityInfo.SCREEN_ORIENTATION_PORTRAIT);
        break;
    }
}

Wait..... your are not done yet. What will happen when user comes in this activity with landscape mode already set.
In that case handling is done with one more trick.

setRequestedOrientation(ActivityInfo.SCREEN_ORIENTATION_PORTRAIT);

Call the above in your onCreate method to signal the onConfigurationChanged and after that it will handle the orientation. :-)

Three cheers !!!