A Trap Hidden Deep Within Apache Cordova

During the development of the Cordova application «Siberian Dice» for Android I have encountered a particularly nasty trouble, so very tiny yet absolutely devastating. It was a very well hidden trap, and the experience of falling into this trap was so spectacular and puzzling that I was moved to create a stackoverflow.com account — imagine my frustration! It is a terrible feeling when you find out that the problem you just faced is not googleable, and even stackoverflow has no answer, not even a stupid one. So, I had to investigate it myself. I succeeded and (because I did not want anybody else to lose any more time on investigating the bug I already investigated) posted the solution on stackoverflow. And then I forgot the issue.

Few days ago a stranger contacted me, he wrote me a letter (in all caps) full of excitement, he told me that he faced the same problem with Cordova and was feeling completely hopeless before he found my post on stackoverflow which post appeared to him the only relevant piece of information in the entire internet, and all in all he wants to thank me. That was encouraging, to say the least. Thus, I think it won't do harm to publish the problem and the solution here, taking in account the problematic nature of the rare problems.

The Symptoms

A program, working perfectly being compiled in --debug mode, ceases working after compilation in --release mode. The effect is constant. Subsequent investigation reveals that the program fails to open any SSL connection, and no other effects are present.
For example the following lines would constitute an issue:
Socket = new WebSocket('wss://376.su/');
<img src="https://blabla" />;

The Problem

It turned out to be a superposition of two separate issues each of which is seriously misleading:

My SSL certificate from Thawte (despite its cost) is not recognized by Android 5.1.1 as a valid one (while being recognized by all desktop browsers)

The --debug flag in cordova build simply ignores certificate «errors» (silently).

The Solution

Ignore those quasi-errors in the --release mode. To this end go to your project's directory and find the following file:

Locate the method definition (onReceivedSslError) and the following condition:
(appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0

This is what makes --debug and --release different. In order to ignore certificate «errors» the following code should be executed:

This file persists through the build process. Don't forget to ignore those quasi-errors next time you add a platform to your project.

Finally, I want to make a note that this issue with the Thawte's certificate is one of the important reasons for us to quit participating this global security theatre by abandoning SSL altogether. I will describe later how to make your connections safe without using those ready-made solutions that plainly do not work.


Only registered users can comment.