I am building an Android Application which consumes a REST Api through an HTTPS connection. Right now to ensure the connection to this api I am using a file cert embedded in the app as explained in this example, at Android Documentation.
It is working well, but recently the certificate has changed and I had to publish the Application again with the new cert file.
My question is: What is the best way to avoid this everytime the certificate changes? How to do it without using a cert file embedded directly in the app?
Thanks!
Related
Could you suggest how to add a self-signed certificate on Android (MIUI 12, Android 10).
There is a mobile app for Android, and a backend written in symfony. We have a bug that is very difficult to catch, and it is not clear whether it is a bug in the app or a problem in the backend. Currently, it is not known which endpoints in which order the mobile app calls. When I test my local backend through postman, everything works as expected (there is no bug). When I test on Android (which is directed to the stage), I can see a bug. Hence, it was decided to build the application directed to local backend by replacing the api-url with the hostname of my laptop. Then the requests would go over the local network to the local backend, where it would be possible to debug what exactly is happening. But once we've built the app, it turned out that it's not that simple to send requests to the local backend since a self-signed certificate is used. I tried to add this certificate to the android config, but nothing changed. Though, certificate shows up in the list. Maybe I made some mistakes when converting that certificate (because xiaomi doesn't allow to import a .crt file), or maybe it's backend that is configured incorrectly.
Can anyone who has encountered such a problem tell me how to set the environment up correctly. Maybe there is some guide on this topic.
PS. It is not an option to use Ngrok, because it will be necessary to distract the mobile team every time in order to build the application with the new url.
I created an app via cordova/PhoneGap is loaded and running successfully on PlayStore.
This app performs call in Ajax in https (with certificate).
A short time ago I renewed this certificate for my domain and from that moment the app stopped working.
I read this: https://developer.android.com/training/articles/security-ssl.html#Blacklisting
That Android can block my calls? I ended up in the blacklist? How do I check this?
NOTE: The same app for the iPhone has remained functional. For this reason I think it is the only cause.
The SSL Labs Server Test indicates that the server is sending an incomplete certificate chain for this domain. You can use What's My Chain Cert? to obtain the correct chain that needs to be sent by your server and Android apps should be able to validate trust.
As for why this worked in iOS and not in Android, check out this answer.
I am developing an iOS & Android Application with React Native. I use to access my backend server with "normal" url -> http:// ....
Now since i have changed it and added ssl i need to use my new backend url with ssl which is https://
On iOS everything works like it should. The problems are caused by my android app.
I am not sure how to solve this. Is there anything i have to do to access ssl based urls for android? Maybe in my Manifest or something? Any hints would be great...
Android doesn't want to trust server's certificate.
Which Android version you'd tested?
Older versions like 4.1.x haven't installed 'less known' CA's.
Try it with Marshmallow.
To fix it you can always install a proper certificate on the device by hand (settings->security->load ca from sdcard) or change CA on the server to one which is more 'known' (probably more expensive).
BTW. Check out the logs. It should fail on SSl handshake.
Another test you can do is publishing a simple website by this server and try running this website over https on affected Android device. If the system doesn't trust it browser will alert you about that. For instance:
I have created an app which would get data from my DB through RESTful services.
What I have tried is I have implemented SSL on service level using self-signed certificate (for now) and in order for android app to communicate with services, I have imported same SSL certificate in my android application.
I wanted to confirm about my approach and also is it secure option because I think someone can get the certificate from android app by reverse-engineering. If no what will be the most secure option to do that?
We are creating a browser based HTML5 application targeted for Android devices through the Chrome browser. Security is a chief concern and beyond userid/password requirements, the company also desires to ensure each user has a proper SSL certificate installed before granting access.
Does this even make sense, and if so, can someone provide some resources where I can research this further?
I always thought the cert was stored on the server to secure a session between itself and a client. But I am not aware of the browser somehow providing an installed cert to a server that ensures it is a valid client.
SSL communications can involve certificates installed to both the client and server. An IIS website can be configured to require a client side certificate is installed.
Regarding Android, current versions do not support leveraging an installed client side certificate through the browser. This thread is tracking this particular feature.
http://code.google.com/p/android/issues/detail?id=11231#c107