I am building an app that creates a http connection between Android and a specific Server. I transfer data using JSON and all is going well, but now I am trying to secure the connection, by which I mean I don't want a third party to view the data being uploaded. The Server doesn't use SSL certificates and so I am currently thinking of how to implement a secure connection. So far I have two ideas:
Create a self-signed certificate and put it on the server file system. Problem with htis is that the Server owner doesn't want me poking around his system. I'd rather not get into a debate with him about it
Use Jsch (or other) SSH library to create a secure connection. Problem with thisis, I have never used SSH before.
What do you recommend? Is there another option?
Get them to setup SSL on the server and be done with it. Since the server has to decrypt the data, you need to do something on the server, whether that is installing a key and certificate or modifying the web app to decrypt your data. Using SSL is by far the best option. SSH can be tricky, and they might be less likely to allow SSH connections from mobile devices than regular HTTP(S).
Related
I have the application. I know all urls, parameters, http-request types, etc (this is my application).
How can I intercept all requests from the application?
For example:
I pressed a button and can see the text of requests to the server.
Task:
to hide requests from potential hackers and prevent him to perform requests on behalf of the application.
You can see your requests with a Packet Sniffer. If you are developing and testing on an emulator something like Wireshark, Fiddler, etc would work. If you are developing and testing on a specific Android device, then try using apps like Packet Sniffer which will capture the requests going through.
If you want to secure the requests from hackers then consider encrypting your requests. To start with, use SSL (HTTPS) encryption on your server, to prevent people from eavesdropping on the same network. To set this up, it will depend on what server technology you are using (e.g. Apache, Nginx, etc). However, there are many solutions but a popular one is LetsEncrypt.
Next, if you don't want people to understand the requests your app is sending to / from their device, then consider adding another layer of encryption on the request payload itself. Algorithms such as AES256 bit encryption will work and be secure enough, have a look here: Android AES 256-bit Encrypt data
Always hash any passwords you are sending / storing too, using algorithms like MD5, SHA256, etc.
No one can see that http request without source code .
If you upload your app in play store they have just apk . From that they cant do anything.Now a days google provides more security for applications.Because you are already generated singed Apk.
On my server, I need to ensure that I receive connections only from android devices.
Is it possible? To store client cert for this in custom android assembling that is resistant to rooting ? Or I can hide absolutely nothing on rooted device? And can not avoid rooting by any means(for ex providing my own android assembled firmware)? Cause even if I set program root checking - the app can be rebuilt by 3d party to avoid this check. Any usefull ideas appreciated. Thx in advance.
1) OAuth2 is authentication and authorization protocol which is broadly used by largest and even smaller companies. Think of Facebook API. If a user is not authentication nor authorized to make that call, you can drop the inbound request. That's one method.
2) Second method would be to add your own user agent to your HTTP header and other custom HTTP headers. If your server checks on these headers, then you can drop the inbound requests.
You don't have to store the SSL certificate on the client as the client would initiate a secure connection with the server that has the SSL certificate.
Anyhow, using a certificate client side could be okay to encrypt data but I don't believe Android Java has support for that. Correct me if I'm wrong. If you do happen to encrypt data with that key, you could encrypt a certain String or bytes that you can parse into one of your custom HTTP headers but if someone finds out what the encrypted String would be, he/she can still fake a connection. However I do not recommend to store your SSL certificate on the client's device.
Regardless of what you might do, there's always a way to fake a HTTP/HTTPS connection like it's coming from an Android device but you can narrow down the incoming HTTPS requests using these two methods and make it much harder. An example would be Pokémon GO. There are plenty of unofficial APIs on GitHub who can fake a connection like it's coming from the official app.
The challenge I have is to convert an android app that uses HTTP connection to HTTPS connection without rewriting the code?
What are the options available to achieve the above challenge on a device without a root access?
Any solution that relies on server-side redirections (from HTTP to HTTPS) will be vulnerable to MITM attacks (see this answer).
If the addresses in this app are configurable, just change them to use your HTTPS URLs.
Otherwise, you can of course use a server-side redirection to mitigate the risk slightly, but that won't prevent downgrade MITM attacks (which can happen, perhaps more so when using a mobile device).
If it's always connecting to a known endpoint that's under your control, you could implement something at the target server end of things to redirect, perhaps something like mod_rewrite if it's an Apache server.
There's no much to be rewritten. You basically change your http:// links to https:// and that's shall be it. Some problems may appear when endpoint's certificate is self signed or signed by some less popular CA, but you can easily replace your HttpClient with this one, add issuer's CA to your app and be done with one screen of code basically.
If app is not yours and you got no code, then you could try to tunnel it, by making it accessing the net via your access point which would transparently re-route the packets via ssh tunnel or VPN or whatever else.
If app is not yours but you can have code - that's IMHO best way to go.
I want to connect a Android client to WCF Webservice. There are several good guides describing how to do this but the https concept is really blurry for me. Here is what i want:
1) A selfhosted WebService communicating over https with an authenticated client.
The user database resides on a SQL Server.
The Service must be a "simple install" for any user to carry out.
The user will install the service on his/her PC and then download the client from google play configuring it using ipadress only.
Problem: it seems impossible to carry out this using WCF cause wshttp looks like having the need to install a certificate on the mashine.
A possible way forward would be generating a selfsigned cert during install but how can i then in a userfriendly manner get the cert to an android client?
2) A Android app published on Google Play which is able to communicate with the service. Data sent to the service will be both simple datatypes (string and integer data) but also large binaries 3-25Mb.
The user installing the service has no more the knowledge than his ip adress and must not be bothered with any certificate issues or other technical details. One option might be using message instead of transport security but my knowledge is very limited in this area.
Information passed between server and client is of personal caracter and may contain passwords including matching sites where passwords are used, personal info, calendar events etc. It will not contain money transfer orders, credit card numbers or account numbers.
The core functionallity of both server and client are more or less already implemented. I now need to secure communication between client and server.
Any recommendation for a good approach to develop this will be grately appreciated!
The way in which i want to deploy the server service to end users makes it hard to use WCF with ssl.
other options create other problems. i have now abandoned WCF for this specific project in favor to Good old socket programming using Bouncy Castle, SslSocket and a custom protocol. It may me overkill but gives me full control over both authentication certificate management and the data being sent.
Im using ssl with a selfsigned cert and override the cert validation method in android verifying all data in the cert manually except relolving the host name... enough for me since i use a pre shared key to encrypt and decrypt data.
Thanks for all help
I making an application for Android, BlackBerry and iPhone. The application needs to communicate with my Java-based web services. The data should be encrypted when the app and the webservice communicate.
Is there any common algorithm which I can use to encrypt and decrypt the data in these three platforms? I have searched over the internet but can't find and reliable solution.
The simplest way of doing this would be to use SSL on the web server. So rather than encrypting the data, encrypt the actual connection. You'd just connect to 'https://...' rather than 'http://...'. Thats a very standard encryption that every platform can work with, and you dont have to complicate things in your client apps by encrypting the data.
This of course assumes you control the web server, or otherwise can make sure it has SSL enabled.