I have created an app which would get data from my DB through RESTful services.
What I have tried is I have implemented SSL on service level using self-signed certificate (for now) and in order for android app to communicate with services, I have imported same SSL certificate in my android application.
I wanted to confirm about my approach and also is it secure option because I think someone can get the certificate from android app by reverse-engineering. If no what will be the most secure option to do that?
Related
I am building an Android Application which consumes a REST Api through an HTTPS connection. Right now to ensure the connection to this api I am using a file cert embedded in the app as explained in this example, at Android Documentation.
It is working well, but recently the certificate has changed and I had to publish the Application again with the new cert file.
My question is: What is the best way to avoid this everytime the certificate changes? How to do it without using a cert file embedded directly in the app?
Thanks!
If they implement SSL on their wordpress site, will both the IOS and Android application automatically work through that SSL certificate or do we need to purchase another certificate. Please explain?
Apppresser creates a mobile wrapper around your site which means that any communication it has with the site will be over the protocol you have installed on the server. If you are using https:// when accessing the site when you create the app then it will be secure.
I want to connect a Android client to WCF Webservice. There are several good guides describing how to do this but the https concept is really blurry for me. Here is what i want:
1) A selfhosted WebService communicating over https with an authenticated client.
The user database resides on a SQL Server.
The Service must be a "simple install" for any user to carry out.
The user will install the service on his/her PC and then download the client from google play configuring it using ipadress only.
Problem: it seems impossible to carry out this using WCF cause wshttp looks like having the need to install a certificate on the mashine.
A possible way forward would be generating a selfsigned cert during install but how can i then in a userfriendly manner get the cert to an android client?
2) A Android app published on Google Play which is able to communicate with the service. Data sent to the service will be both simple datatypes (string and integer data) but also large binaries 3-25Mb.
The user installing the service has no more the knowledge than his ip adress and must not be bothered with any certificate issues or other technical details. One option might be using message instead of transport security but my knowledge is very limited in this area.
Information passed between server and client is of personal caracter and may contain passwords including matching sites where passwords are used, personal info, calendar events etc. It will not contain money transfer orders, credit card numbers or account numbers.
The core functionallity of both server and client are more or less already implemented. I now need to secure communication between client and server.
Any recommendation for a good approach to develop this will be grately appreciated!
The way in which i want to deploy the server service to end users makes it hard to use WCF with ssl.
other options create other problems. i have now abandoned WCF for this specific project in favor to Good old socket programming using Bouncy Castle, SslSocket and a custom protocol. It may me overkill but gives me full control over both authentication certificate management and the data being sent.
Im using ssl with a selfsigned cert and override the cert validation method in android verifying all data in the cert manually except relolving the host name... enough for me since i use a pre shared key to encrypt and decrypt data.
Thanks for all help
We are creating a browser based HTML5 application targeted for Android devices through the Chrome browser. Security is a chief concern and beyond userid/password requirements, the company also desires to ensure each user has a proper SSL certificate installed before granting access.
Does this even make sense, and if so, can someone provide some resources where I can research this further?
I always thought the cert was stored on the server to secure a session between itself and a client. But I am not aware of the browser somehow providing an installed cert to a server that ensures it is a valid client.
SSL communications can involve certificates installed to both the client and server. An IIS website can be configured to require a client side certificate is installed.
Regarding Android, current versions do not support leveraging an installed client side certificate through the browser. This thread is tracking this particular feature.
http://code.google.com/p/android/issues/detail?id=11231#c107
I'm planning to develop an Android application with an app-engine backend.
However I would like to refrain from using authentication (either with Google accounts or Open ID). Since the data will be sent only from my app and not any other client, and will be over SSL connection, I consider the data safe and trusted.
So my question is two-fold:
Is there any security issue I'm missing here ?
All the examples I found use some sort of authentication. Is it at all possible to use the android appengine infrastructure (RequestFactory, etc) without authenitcation ?
An app engine application is just a regular web application deployed on app engine. If you need to authenticate your users, do so. If you don't need to, then don't.
You're missing something, though: once a web app is deployed on app engine, it's accessible from anywhere on the web, and so anyone (and not just your app) could send requests to this application, whether you use SSL or not. SSL will just make the communication encrypted, and ensure the client that they're talking to your web app, and not to a rogue web app maskerading as yours.