Certificate Authentication using Webview in Android
If your business relies on certificate-based authentication and supports web-based authentication, this blog will guide you through the essential steps required on the client side. We will explore two common use cases and delve into the setup of WebView for secure authentication.
Use Case #1: Installing the Certificate in Device Keychain
In this scenario, users are prompted to select the appropriate certificate during authentication. Certificates are typically distributed via email or downloaded from a local CA Authority in .pfx format, protected by a password.
Steps to Install the Certificate in Device Keychain:
- Go to device settings and search for “Install a Certificate.”
- Select “VPN and App user certificate.”
- Choose the downloaded certificate and enter the certificate password.
While these steps should work for most devices, custom devices may require specific installation procedures.
Pros:
- All apps on the device can use the same certificate for login.
Cons:
- Using the certificate for authentication outside the app may be restricted for security reasons.
For scenarios where security is paramount, please refer to the next blog: “Keeping Certificates in the App’s Sandbox.”
Use Case 2: Keeping Certificates in the App’s Keystore
In this use case, certificates are downloaded from the server and stored within the app’s Keystore. For scenarios where security is paramount, the certificate is kept in Keystore. Please refer to the next blog: “Using Certificates from the App’s Keystore.”
KeyChain vs. Keystore:
- KeyChain: Offers system-wide credentials that multiple apps can use with user consent.
- Keystore: Allows individual apps to store credentials only accessible by that app, ensuring security without user interaction.
Setting Up WebView:
As previously explained in the blog “How Certificate Authentication Works,” when the server requests a certificate, WebView receives a callback in the WebViewClient’s onReceivedClientCertRequest(view: WebView?, request: ClientCertRequest?) method.
What is WebViewClient?
WebViewClient manages actions within a WebView, including JavaScript, security, routing, and more. We will create a custom class by inheriting WebViewClient.
`onReceivedClientCertRequest()` Notify the host application to handle an SSL client certificate request. The host application is responsible for showing the UI if desired and providing the keys. There are three ways to respond: proceed(), cancel() or ignore().
The ClientCertRequest object plays a vital role, containing parameters for selecting the client certificate. KeyChain is used to access private keys and corresponding certificate chains in credential storage.
KeyChain.choosePrivateKeyAlias(mWebViewActivity, keyChainCallback, null, null, request.getHost(), request.getPort(), null);The choosePrivateKeyAlias method allows the user to select from available private keys and corresponding certificate chains. The chosen alias is returned by the callback KeyChainAliasCallback.alias or null if no private key is available or the user cancels the request.
KeyChain.getPrivateKey() returns the PrivateKey for the requested alias, or null if no there is no result. Since this method may block while waiting for a connection to another process, and must never be called from the main thread.
Now Finally we can set `CustomWebviewClient` object to Webview.
Conclusion:
By following these steps, you can effectively manage certificates in Android WebView for secure authentication. The choice between device keychain and app keystore depends on your specific use case and security requirements.
