I have a mobile app which accesses web services at https://myserver.com/mywebservice.
If I create a self signed certificate and I put it on my server, when the mobile app accesses the web service it sees the certificate but it doesn't recognize it as it is self signed. But in this case if I have a "man in the middle" attack, the attacker can create it's own certificate, so the app sees the certificate and again it doesn't recognize it.
Question: When you use a certificate like those from goDaddy, is iOS or Android programmed to trust goDaddy certificates in order to work, so the fake certificate that the attacker uses is considered invalid? So if I make the app trust my certificate, I can use my self signed certificate the same way?
Also How can I know which certificates are trusted by iOS or Android?
Generally your app or the OS needs to trust the CA that issued the server certificate for this to work. If it is issued by a CA whose certificate is pre-installed, things just work. If not, you need to either install the CA in the OS trust store or modify your app to to trust it. It doesn't really matter who created the certificate, VeriSign or goDaddy certs are no more 'special' than your self-signed ones.
As for getting a list of trusted certs, Android 4.x and later lists those in Settings->Security->Trusted Credentials. For earlier version you have to write some code to enumerate them. Don't know about iOS.
Related
Let's say that I have an app that transmits some sensitive info to my server. I want to reduce the risk of a man-in-the-middle attack on my users, so I pin the keys used by my server in the Network Security Configuration file.
But, let's say a user of my app does not trust the CA that issued our certificate, and has removed it from the list of trusted CAs, or maybe an OS update removes the CA because it has been found to be behaving badly.
Ideally, in such a case I would like my app to refuse to connect to the server. I only want it to make the connection if the certificate presented by the server is signed with a key in the pinset AND comes from a CA that is trusted by the OS/user. Does pinning a key in the network security config file accomplish this? Or, are pinned keys trusted no matter what?
The HPKP instructs the browser to store the signature for your server certificate for the period of time you specify. Using HPKP does not replace the standard certificate validation.
In your scenario the pinned PK in the browser will be valid for the server certificate your server is presenting, but the actual certificate validation will fail since the CA is not trusted.
In using Certification pinning development is saying that no 3rd party will be trusted with the https certificate, instead it will be stored on the device. If i reverse engineer an android apk, would i not have access to this certificate ? I realize its public but i could use it to do man in the middle attacks, correct ? Where should i put the certificate so that no one can access it ? I have *.cer certificate file located in resources folder in android but need to know how secure it will be there.
The certificate is not secret, so don't worry about someone reverse engineering your certificate. To pin the certificate, simply embed your server's cert into your app. Then at runtime, when the server sends you it's cert, compare it to the one you embedded to ensure they are the same. Do this in addition to all the usually SSL/TLS verification.
Developing a simple android application that will cast a URL (webpage) on bigger display.
For publishing "the receiver app must be served over SSL (HTTPS)". For that I have generated self-signed SSL Certificate and plan to use the same.
URL for publish
However, On trying to access the page from browser, it gives following warning:
The site's security certificate is not trusted! You attempted to reach
basilapps.com, but the server presented a certificate issued by an
entity that is not trusted by your computer's operating system. This
may mean that the server has generated its own security credentials,
which Chrome cannot rely on for identity information, or an attacker
may be trying to intercept your communications.
So my query is:
(A) Will self-signed certificate will work fine during publishing?
(B) If not, then do I need to purchase SSL certificate from trusted authority?
(C) Are there freely available trusted certificates services available?
Thanks
Self-signed certs do not work and yes, you need to get/use a trusted one form a known authority. If you can use App Engine, that works since it already has that. For development, either use http or use App Engine or even Google Drive (the last two support https).
i need to implement security measure for my android app which currently runs with http
I was reading on the ssl and found that we need root and intermediate certificates,
if i am not purchasing the certificate from outside how can i get the root and intermediate certificates ..
thanks
Do you mean you will be using a self signed or self issued certificate on the public facing server? (Neither of which I would recommend)
If you really want to try and do that then:
a self signed certificate sign's itself (it is its own CA)
a self issued certificate on windows for example use the mmc certificates tool, you can download the public part of any certificates in the trust chain (but then you'd need to get them on to a device for them to be useful and something owners of the devices would not like since I would bet you do not have proper key management in place).
A potentially better way would be to use a properly issued certificate for your production site which would allow you to validate the hostname and trust chain correctly.
But for your local dev builds have it ignore these two checks (I would also have it put up a Toast if it was running in this mode so you don't issue this by mistake).
Our Android application is interfacing with a server than employs a certificate chain, with certificates issued by Verisign. We were able to establish SSL sessions with this endpoint so far. This Verisign certificate is due to expire next month.
Questions:
1. Should Server site get a new certificate reissued from Verisign and everything would just work?
2. Can the original certificate expiration date be just extended rather than issue a new one?
What can be done to ensure a smooth transition?
You need to be issued a new certificate, but it needn't be issued by Verisign. Any trusted authority can sign the certificate.
The key store containing trusted issuers is here:
/system/etc/security/cacerts.bks
You cannot extend a certificate, but you shouldn't need to. As long as the server certificate is issued by a CA you trust (does not to be VeriSign), things should continue to work. You might want to replace the cert sooner rather than later though, because people might have clocks that are off by a few days.