Android WebView and network-security-configuration

Question

I'm developing on Android 8 (26 API, Oreo) and I use android.webkit.WebView in my app.

I would implement "secure network connection" when I load pages with my WebView (in other words I would avoid man-in-the-middle problems and self-signed certificates)

To do this I used network security configuration (on Android from version 7.0 N, 24 API)

So:

In res>xml>network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">MY_DOMAIN.com</domain>
        <pin-set>
            <pin digest="SHA-256">MY_PIN</pin>
        </pin-set>
    </domain-config>
</network-security-config>

I found MY_PIN inserting MY_DOMAIN.com here: https://report-uri.com/home/pkp_hash

In manifest>AndoridManifest.xml

...
 <application
        android:networkSecurityConfig="@xml/network_security_config"
...
 </application>

In the onCreate of my app I simply do:

WebView webView = new WebView(this);
webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(..)..
    @Override
    public void onPageFinished()..
    ...});
webView.loadUrl(MY_DOMAIN.com);

According to Android docs I'm doing it right but I have a problem: it's like network_security_config.xml is never checked because I can set every "random" and "wrong" value for the pin and it works normally (URL MY_DOMAIN.com is loaded normally without blocking behavior).

So that means that if some man-in-the-middle return back one different pin of those I've written in res>xml>network_security_config.xml the application continue running well and with no secure behavior. It also does not execute one of the overridden error method of WebViewClient.

Please help I can not understand my error.

Answer 1

[SOLVED]

In AndoridManifest.xml I declared

 <application
        android:networkSecurityConfig="@xml/network_security_config"
 ...
 </application>

Editor warned about a problem related to the SDK version but I didn't see it. This is the warning.

[SOLUTION]

Add this tools:targetApi="n" to the Manifest like the following:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ...
    tools:targetApi="n">

[EDIT]

SSL error is handled in public void onReceivedSslError(...) of WebViewClient (See the following code)

  webView.setWebViewClient(new WebViewClient() {
            public void onReceivedSslError(WebView view, 
                final SslErrorHandler handler, SslError error) {
                     //HANDLE HERE THE ERROR!!!
                ...
            }
        ...
  });