Flutter HTTPS calls fail on older Android, only works if I bypass SSL certificate check

by

Summary

The issue of Flutter HTTPS calls failing on older Android devices (Android 7 and below) while working on modern devices can be attributed to the way these older devices handle SSL certificate validation. By default, older Android versions may not support the latest TLS versions or may have issues with the certificate chain, leading to failed HTTPS requests. Bypassing SSL certificate validation allows the app to make requests, but this is not a secure or recommended solution.

Root Cause

The root cause of this issue can be identified as:

  • Outdated TLS support: Older Android devices may not support the latest TLS versions required by the server.
  • Certificate chain issues: The SSL certificate used by the server may not be properly configured or may be missing intermediate certificates, causing validation failures on older devices.
  • Flutter’s HttpClient configuration: The default HttpClient configuration in Flutter may not be compatible with older Android devices.

Why This Happens in Real Systems

This issue occurs in real systems due to:

  • Inconsistent TLS support: Different devices and platforms have varying levels of TLS support, leading to compatibility issues.
  • Certificate configuration mistakes: Incorrect or incomplete SSL certificate configurations can cause validation errors on certain devices.
  • Legacy device limitations: Older devices may have limitations in their SSL/TLS implementation, making them more prone to validation failures.

Real-World Impact

The impact of this issue includes:

  • Failed API requests: HTTPS requests may fail on older Android devices, leading to a poor user experience.
  • Security risks: Bypassing SSL certificate validation can expose the app to security risks, such as man-in-the-middle attacks.
  • Limited compatibility: The app may not be compatible with older Android devices, reducing its potential user base.

Example or Code

class MyHttpOverrides extends HttpOverrides {
  @override
  HttpClient createHttpClient(SecurityContext? context) {
    return super.createHttpClient(context)
      ..badCertificateCallback = (X509Certificate cert, String host, int port) => true;
  }
}

void main() {
  HttpOverrides.global = MyHttpOverrides();
  runApp(const MyApp());
}

How Senior Engineers Fix It

Senior engineers fix this issue by:

  • Updating the server’s TLS configuration: Ensuring the server supports the latest TLS versions and configuring the SSL certificate correctly.
  • Configuring Flutter’s HttpClient: Updating the HttpClient configuration in Flutter to be compatible with older Android devices.
  • Implementing certificate pinning: Implementing certificate pinning to ensure the app only trusts the expected SSL certificate.

Why Juniors Miss It

Junior engineers may miss this issue due to:

  • Lack of experience with SSL/TLS: Limited knowledge of SSL/TLS and its implementation on different devices and platforms.
  • Insufficient testing: Not thoroughly testing the app on older Android devices, leading to undiscovered compatibility issues.
  • Overlooking security best practices: Failing to follow security best practices, such as certificate pinning, and instead opting for insecure workarounds like bypassing SSL certificate validation.