I have an NSB app that is designed for internal corporate use only. It calls several web services, and for years has only called http:. We now need to support http and https, and https calls are not working
Currently my Content Security policy is empty, so is it safe to assume that https is blocked in this condition? I’d like to open up the ability to call any http or https URL, as they are all managed internally so security is not an issue. Would a CSP like this do the trick? Not exactly sure on the syntax for wildcard http or https.
Your actual CSP will depend on a lot of things, such as running as a web app or native app. Here’s a real world example - there are lots of others on the net.
Our challenge is that some of the security implemented at our customer is preventing us from running Remote console. The devices are on an internal WIFI and the devices (Android Phones) have manually added root and inter certificates. Is there any way to create any type of debug features in a test APP to see what is going on? Right now the app calls GETJSON and just never returns so we are at a dead end. I can manually call the web service that the app is trying to call from the phones browser, but the app is having no luck
Thanks! Sorry I didn’t realize it was a holiday for y’all so thanks for the support.
It’s a tough one, the device actually requires a certificate on the Android device and server as it is a internally signed cert making this super challenging. Any thoughts on what the most unrestrictive CSP might be?
Also, I wasn’t sure if it needed to be wrapped with
Tip: If you’re pasting code, html or config files, surround the code with triple back ticks (```), before the first line and after the last one. It will be formatted properly. (We fixed it for you this time)
Try running locally on your system to make sure it is at syntactically correct.
To get output on the Remote Console, you need to make a debug build. Can you explain to the client why you need to do this for a very limited test time?
Finally we were able to get permissions correct on our network devices to run debugger and have discovered a way to make this work.
#1- We went back to a blank CSP #2- App calls JSON in Https: fine as long as the app is built Cordova Command: Run Android --Debug. If we Run Android-- Release HTTPS no longer works
So what is different from an app perspective between Debug and Release? I’m suspecting maybe a blank CSP is an issue, but why it runs in Debug is a mystery
I few google searches and it looks like DEBUG perhaps ignores al SSL errors, where the RELEASE captures them.
Our problem seems to be SSL related, the customer we are running requires client certificates on the phone itself, so a bit different. We are trying various CSP settings, but most of the time, the app does not return any errors in the debug console .
GetJSON - never returns
AJAX - Responsestatus=0, responsetext=undefined
In Chrome debugger, network window shows the call status “Cancelled”
I have also seen several searches talking about challenges with certificates issues internally (In this case it is an internal corporate cert) and wondering if this is something in the APK that is not recognizing these certs…
I think you’re right that it has something to do with the client’s certificates. The work of building the APK is done by Cordova. I’d look there for possible solutions:
We are doing testing on the app to ensure that the remaining production build attributes are ok, but it solved the issue. Thank you for your support, one of the best in the industry!!
application android:debuggable=“true” to config.xml
works, and the production build still works as a prod (so it still allows updates without uninstalling the original APK first like you have to do with a normal debug release)