Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is a SSL certificate still needed in a Flutter webview?

Tags:

ssl-certificate

flutter

android-webview

webview

We currently have an Angular web app created for an online ordering utility. But we want to create a native app out of it, and we wanted to use Flutter.

At first, though we just want to use a webview to show the existing Angular app through there.

The problem is, we wanted to do this because we also wanted to get rid of the need for an SSL certificate to access the app through a phone.

Is it still necessary to have an SSL certificate for a webview?

I imagine it is because it's still like accessing the webpage afterall, but I wanted to be sure.

like image 385
Biel Avatar asked Jan 26 '26 22:01

Biel

2 Answers

The webview_flutter plugin hasn't any option to ignore SSL errors. Instead, using my flutter_inappwebview plugin, it is very simple to ignore SSL errors as you would normally do on Android, that is using the onReceivedServerTrustAuthRequest event and returning ServerTrustAuthResponse(action: ServerTrustAuthResponseAction.PROCEED); for the specified request or for all requests.

A simple example using the latest version 5.0.5+3 and https://badssl.com/ (that is a site for testing clients against bad SSL configs, see https://github.com/chromium/badssl.com) is:

child: InAppWebView(
  initialUrlRequest: URLRequest(
      url: Uri.parse("https://self-signed.badssl.com/")
  ),
  onReceivedServerTrustAuthRequest: (controller, challenge) async {
    print(challenge);
    return ServerTrustAuthResponse(action: ServerTrustAuthResponseAction.PROCEED);
  },
),

where the challenge argument provides all the information about the challenge, such as host, protocol, realm, etc.

Also, on Android, when you return the action to be taken (PROCEED or CANCEL), this decision is saved by Android itself, so the next time you go to the same URL, the onReceivedServerTrustAuthRequest event won't be triggered. In that case, you can use the controller.android.clearSslPreferences() method to clear the Android SSL preferences.

like image 75
Lorenzo Pichilli Avatar answered Jan 28 '26 10:01

Lorenzo Pichilli

By default, there is no option to bypass/ignore/proceed without SSL in webview_flutter and the flutter_webview_plugin has been almost deprecated and not updated for the last 2 years till this answer. but there is a solution available in webview_flutter.

It is recommended to use HTTPS calls only in Apps. Transport security was introduced in iOS 9.0, allowing only HTTPS calls from apps by default.

However, if you still want to allow all non-https calls - Add NSAppTransportSecurity (Dictionary) in Info.plist and Add a Subkey named NSAllowsArbitraryLoads with the boolean value YES. After the update, plist should look like

Method 1: In source code of info.plist file we can add that:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Method 2: Or you can do it in Xcode

  1. Opened my Project target's info.plist file
  2. Added a Key called NSAppTransportSecurity as a Dictionary.
  3. Added a Subkey called NSAllowsArbitraryLoads as Boolean and set its value to YES as in the following image.

enter image description here

like image 28
Hamza Muazzam Avatar answered Jan 28 '26 12:01

Hamza Muazzam

Sign in to Comment

Related questions

Set desktop Flutter to run in maximized size at startup

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!