I am working on an application in which i have to post certain data via HTTPS services. I am using a self signed certificate but i am not sure where to register this certificate in my device and i don't want to use inbuilt browser kit. As i understand if i use browser kit i can add my certificate and install under "user" certificate.
Is there any way to add this certificate at "system" level in android rather than at "user" level ?
Can someone suggest one who has worked on VPN would be more aware on it....
I am working on an application in which i have to post certain data via HTTPS services. I am using a self signed certificate
If you are using HttpURLConnection, OkHttp, or HttpClient, you can create an SSLContext that uses a TrustManager that supports your self-signed certificate. I have some support for this with my TrustManagerBuilder in my CWAC-Security library, and there are plenty of examples of how to do this yourself, such as this blog post, by searching for android sslcontext self-signed in your favorite search engine.
If you are using some library for HTTP access, find out where you can configure its SSL functionality, or contact the author of that library if there does not seem to be an option for this.
Is there any way to add this certificate at "system" level in android rather than at "user" level ?
Users can install certificates. I am not aware that apps can install certificates, though I cannot rule it out. However, unless this certificate is needed for other apps, not just yours, please just use the certificate from your own app.
Related
I am developing an android application which interacts with my server. For including the SSL layer, I created a self-signed certificate for my server. So, at present when i access my server through a browser, it sends that certificate and once I save it, all works fine on browser.
But I am not sure, how can I move ahead so that my Android app will communicate effectively with the server. The thing I know so far is that I need to generate a keystore (.bks) for my android application and pass it on to TrustManager. I found various tutorials to generate the keystore but I am getting confused at few points:
Will I need any info regarding the server's certificate for generating this keystore?
Is there any way through which I can replicate the browser like functionality in the application? (If the certificate is not from a trusted CA, add it to the list if the user confirms that.)
How will the server trust my keystore?
I might be mixing some of the concepts because I read a lot of articles regarding all this. The articles/questions that I have already referred are:
Bob Lee's blog
Blog on CodeProject
Using OkHTTP
StackOverflow answer
Extract cert from server and add to keystore
Developing a simple android application that will cast a URL (webpage) on bigger display.
For publishing "the receiver app must be served over SSL (HTTPS)". For that I have generated self-signed SSL Certificate and plan to use the same.
URL for publish
However, On trying to access the page from browser, it gives following warning:
The site's security certificate is not trusted! You attempted to reach
basilapps.com, but the server presented a certificate issued by an
entity that is not trusted by your computer's operating system. This
may mean that the server has generated its own security credentials,
which Chrome cannot rely on for identity information, or an attacker
may be trying to intercept your communications.
So my query is:
(A) Will self-signed certificate will work fine during publishing?
(B) If not, then do I need to purchase SSL certificate from trusted authority?
(C) Are there freely available trusted certificates services available?
Thanks
Self-signed certs do not work and yes, you need to get/use a trusted one form a known authority. If you can use App Engine, that works since it already has that. For development, either use http or use App Engine or even Google Drive (the last two support https).
I'm using HTTPS in my Android app to communicate with my own API.
When I packet sniff, I don't see any information which is good.
However, when I use software like Fiddler2 to install a trusted certificate on my Android, I can see all my HTTPS calls in the clear which is dangerous.
The problem is so close to this guy but in Android not iPhone:
hiding iOS HTTPS calls from fiddler
I am using loopj library to make my https calls: Android Asynchronous Http Client
http://loopj.com/android-async-http/
How can I deal with such a vulnerability ?? ( I know how to deal with it conceptually but I need example code )
When the user chooses to install Fiddler2's certificate as a trusted root certificate, he is then choosing to compromise his own security. I'm not sure there's much you can do about it, since your application's HTTPS connexion will go through Android's certificate validation system, which will consider the connexion as valid, since the certificated is trusted.
The solution I would go for is embedding your SSL certificate in your application, and tell your application it is the only trusted certificate. It's secure and free, as you can attach a self-signed certificate you created yourself, since you control the verification mechanism. See this blog article for code example.
We have a web service that should only be called by a specific Android app. What solutions are there for this problem?
The requirement is to not use authentication at all.
If it's only your client and your server, you can (and should) use SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server.
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.
I guess this will work with proper authentification in place. First post I just stumpled upon was this one:
Securing communication from android to a web service
Hope it helps =)
If you're absolutely certain this web service will only need to be accessed by authorized applications/devices, go with client-side SSL certificates and restrict access at the server to only clients with authorized certs. This has the bonus feature of forcing SSL at all times so you don't like auth secrets over an open channel. Here's a quick guide for Apache, but you could use nginx too:
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
Assuming, my application need to access my web server using server certificate that is not supported by Nexus One (or other android devices), for example.
is it possible to 'embedded' the client certificate in the application? is this the same as signing the app with the client certificate?
Thanks
Yes, it is possible to embed the server certificate in the application.
Look at my blog article. I posted a detailed description how you can achieve this with creating your own keystore.