Xamarin.Forms: Bypass SSL Certificate validation on Android

Disclaimer: Bypassing SSL Certificate validation in production releases are not recommended. It can make your application vulnerable by hackers and reverse engineers, and your users will be unprotected from the bad guys. Consider to use the following codes with compile directives.

But in the other hand, it can be handful to just ignore the certification errors in development enviroment. Local machines has self signed certificates, and it is easier to just bypass the validation method, rather than set the self signed certificate acceptance in our client applications.

In Xamarin.Android (Lower than Android 10) and Xamarin.iOS, use the ServicePointManager in order to make your own certificate validator algorithm. The code below just accepts every cert.

ServicePointManager.ServerCertificateValidationCallback =
            (message, certificate, chain, sslPolicyErrors) => true;

To bring Android 10 also to work, construct your HttpClient with the following constructor:

            var httpClientHandler = new HttpClientHandler();
#if DEBUG
            httpClientHandler.ServerCertificateCustomValidationCallback =
                (message, certificate, chain, sslPolicyErrors) => true;
#endif
            var httpClient= new HttpClient(httpClientHandler);
This content has 3 years. Some of the information in this post may be out of date or no longer work. Please, read this page keeping its age in your mind.

[Xamarin.Android]: Cleartext HTTP traffic to not permitted

If your Android application gives the following error, when trying to use a HttpClient:

Java.IO.IOException: 'Cleartext HTTP traffic to 192.168.0.10 not permitted'

Set usesClearTraffic property to true in the AndroidManifest.xml:

<application android:label="MobileSolution.Android" 
	     android:theme="@style/MainTheme"
             android:usesCleartextTraffic="true">
		
</application>

The restriction was introduced in Android 8. More explanation: https://koz.io/android-m-and-the-war-on-cleartext-traffic/

This content has 3 years. Some of the information in this post may be out of date or no longer work. Please, read this page keeping its age in your mind.