Recently I read quite a lot about SSL, but all articles concerned webpages. Let's suppose I'd like to make an internet service with webpage, mobile app and C++ windows app. Users must have their accounts, so they need to send to a server data like username, password, etc. As a webpage I'd like to have Angular app and some backend technology (Node for example). Windows and Android app will use the same backend server as Angular, and they will connect to it by REST API. If I install SSL on the server, where web apps are stored (both front-end and back-end), all the data sent in HTTPS requests should be safe. But what about the data sent from Android app and Windows app (made in MFC in my case)? If I have understood those articles well, internet browsers encode sent data, and decode received one themselves. But do I need to handle HTTPS connection in Android and Windows application myself?
For android, if you will use self signed certificates, you'll have to express how to handle that on your app. See how it's explained here https://stackoverflow.com/a/997495/4242450. But overall if you are using trusted certificates, there's no need to worry about SSL handshakes, encryption or decryption data for yourself.
Here's a piece I found on https://developer.android.com/training/articles/security-ssl
Assuming you have a web server with a certificate issued by a well known CA, you can make a secure request with code as simple this:
val url = URL("https://wikipedia.org")
val urlConnection: URLConnection = url.openConnection()
val inputStream: InputStream = urlConnection.getInputStream()
copyInputStreamToOutputStream(inputStream, System.out)
Related
I'm new to web-crawlers, trying to crawl ridership data of metro from the cellphone maps app(www.amap.com) with Fiddler, but I got this HTTP connect method, which is not viewable. There are icons of locks next to the URL and in 'Response' it says this:
'Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.'
I found a solution suggesting that customizing rules in fiddler may help, so I followed and added this to its script:
if (oSession.oRequest[‘User- Agent’].IndexOf("Android") > -1 && oSession.HTTPMethodIs("connect")) {
oSession.oResponse.headers["Connection"]="Keep-Alive";
}
The changes to Fiddler Script
But of course, it didn't work, I've tried both iPhone and android and changed the header in the script respectively, none of them helped.
So is this app and HTTP connect method crawlable? The data is constructively helpful to my research, instead, it is not provided in website 'amap', so it has to be done through a cellphone.
If you have HTTPS decryption enabled in Fiddler but you see (mostly) only CONNECT requests this means that the apps on the device try to open a connection but do not trust the Fiddler root certificate.
If you try to use the apps on-device you will notice that there is currently no working network connection available (requests just don't work as the apps don't accept the server certificate created by Fiddler).
On Android devices since Andorid 6 you need root permissions to instal the Fiddler rot certificate or alternatively if you want to monitor a single app you can try to modify and re-sign the app. All details are described in this question and answer:
Some androids apps won't connect through fiddler
I'm working on android app which is communicating with REST API on my server, which is self-signed. My API is running on node, using framework Loopback.
Right now, my API is not secured, so I can send requests from my android app and it works fine. Only my domain is secured. API running on port 3000. And now, the problem comes.
I have created a web form for password reset, so when user is in the app and wants to reset password for his account, he gets email. He can open this email with reset link either in the app or in a browser.
1. case
When user opens the reset link in browser, he is on HTTPS URL. When he enters new password and hits button to change the password, he is sending request from HTTPS to unsecured API on HTTP.
This gives me error:
The page at xxx was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint xxx. This request has been blocked; the content must be served over HTTPS.
Here is my function:
function post() {
const urlParams = new URLSearchParams(window.location.search);
const token = urlParams.get('access_token');
console.log("TOKEN:", token);
const user = {
newPassword: document.querySelector('#input-password-check').value,
}
const http = new XMLHttpRequest()
http.open('POST', 'http://www.example.com:3000/api_path/reset-password')
http.setRequestHeader('x-access-token', token)
http.send(JSON.stringify(user))
http.onload = function() {
alert(http.responseText)
}
}
2. case
When I secure my API so both, my domain and API are HTTPS, I could reset passwort from web, but when I send request, I get ERR_CERT_AUTHORITY_INVALID. And also from android APP, since it doesn't trust my certificate. And I was unable to find a solution how to make my app to trust it.
I should also say that I am parsing token from url and when reseting password in app, that token is sent in header and I send request from my app in java... Not opening website. All goes through retrofix + rxjava.
Any ideas how to solve this? I don't want to go around it, I want to do it right, but also not willing to pay for SSL certificate which will be trusted...
I was able to solve this problem by using Lets Encrypt certificates. Previously, I had lets Encrypt installed on my server but I created new, self-signed certificates for Loopback API, which was stupid and I did not know what am I doing.
So don't forget to set certificate path for loopback api to Lets encrypt ones.
I'm using Charles proxy to fetch all the requests coming from my Android app to a webservice.
The thing is Charles shows me the complete request, meaning I can see the whole URL, headers and body so I can see www.example.com/rest/resource/param1/param2,
the JSON I send with it and also the authentication header.
After reading several posts like this and this one I thought the good part of working with the TLS was that one could only get the domain name from the URL, in this case www.example.com
To make sure it's not the client's fault, I requested the webservice resource with Retrofit and HttpsURLConnection and I could see the whole request both times.
I guess also the certificate is properly installed because it is shown in the browser every time an https request is made. Am I missing something else here or is this the normal behaviour?
So far I couldn't find a reason for this to happen so any help will be appreciated.
To debug with Charles proxy you must install a certificate on your browser (client).
With https the URL is encrypted.
But because you choose to use that proxy, your browser establish a secure connection to that proxy, and the proxy to the website. So, only 1) you, 2) the proxy 3)the website can decrypt the https traffic.
By installing a CA certificate on your browser, you allow the person detaining the corresponding private key (in your case, your proxy) to impersonate (so, decrypt with a MITM) any website.
I have given a 3rd party API to access a service to get some work done from a client Android App.
There they have provided Service hosted URL and the PORT number and asking to send raw bytes (Request data) over a SSL IP Socket connection to it.
Steps they Ask to follow
Open a SSL connection to Service. The SSL Connection will be mutually authenticated. (Self signed certificate)
Send request data in a CSV structure format (Raw bytes over a SSL IP Socket connection).
The App now will receive a response (byte stream) from the SSL connection.
Questions
Is this a standard way to do in Android?
I have previousely communicated with web services by sending request data over HTTP/S (POST and GET) methods but wonder how to do this. Read many tutorials (LINK1) but still bit not exactly sure how to do this.
Would like to here what exactly(steps) I have to do in here. Thanks....
Using SSL is standard practice on any platform that needs to protect data. It has nothing to do with Android specifically.
In an Android client app, you can use the SSLSocket class. It will handle the SSL portion for you, so all you have to focus on is sending the CSV data and reading the response data.
I have an app that is on both Android & iOS. To encrypt the data that is sent to a PHP script, from the app side of things, is it just a case of adding an "S" to "HTTP://....." and then everything is encrypted when sent up?
Tried Google but couldn't find anything related. Thanks.
No you can't just add an s.
the 's' in https signifies that the connection is secured by TLS (Transportation Layer Security) . This is achieved via authentication using certificates and Public Key Cryptography.
See:
http://computer.howstuffworks.com/encryption.htm
http://en.wikipedia.org/wiki/Public-key_cryptography
for IOS specific implementations see
https://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-TP9