Assuming, my application need to access my web server using server certificate that is not supported by Nexus One (or other android devices), for example.
is it possible to 'embedded' the client certificate in the application? is this the same as signing the app with the client certificate?
Thanks
Yes, it is possible to embed the server certificate in the application.
Look at my blog article. I posted a detailed description how you can achieve this with creating your own keystore.
Related
I have a webpage that needs authentication which can be tedious to enter on mobile so I was thinking of creating a wrapper application that could login the user (only one - me) automatically with saved credentials. In order to protect the credentials I want to use the fingerprint API (I use a Samsung S5). However this is new stuff for me so I have few questions about the feasibility:
Is it possible to automatically log into a web page from an app wrapper?
Could this work with a non-trusted certificate (I have to generate my own)
Can I encrypt and use the fingerprint to decrypt the credentials so they are secure on the phone?
Is it possible to automatically log into a web page from an app wrapper?
yes
Could this work with a non-trusted certificate (I have to generate my own)
No in general, if you are meaning HTTPS certificate. but android webview with client certificate may help
Can I encrypt and use the fingerprint to decrypt the credentials so they are secure on the phone?
Yes. in pratice refer to http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html
I am developing an android application which interacts with my server. For including the SSL layer, I created a self-signed certificate for my server. So, at present when i access my server through a browser, it sends that certificate and once I save it, all works fine on browser.
But I am not sure, how can I move ahead so that my Android app will communicate effectively with the server. The thing I know so far is that I need to generate a keystore (.bks) for my android application and pass it on to TrustManager. I found various tutorials to generate the keystore but I am getting confused at few points:
Will I need any info regarding the server's certificate for generating this keystore?
Is there any way through which I can replicate the browser like functionality in the application? (If the certificate is not from a trusted CA, add it to the list if the user confirms that.)
How will the server trust my keystore?
I might be mixing some of the concepts because I read a lot of articles regarding all this. The articles/questions that I have already referred are:
Bob Lee's blog
Blog on CodeProject
Using OkHTTP
StackOverflow answer
Extract cert from server and add to keystore
Developing a simple android application that will cast a URL (webpage) on bigger display.
For publishing "the receiver app must be served over SSL (HTTPS)". For that I have generated self-signed SSL Certificate and plan to use the same.
URL for publish
However, On trying to access the page from browser, it gives following warning:
The site's security certificate is not trusted! You attempted to reach
basilapps.com, but the server presented a certificate issued by an
entity that is not trusted by your computer's operating system. This
may mean that the server has generated its own security credentials,
which Chrome cannot rely on for identity information, or an attacker
may be trying to intercept your communications.
So my query is:
(A) Will self-signed certificate will work fine during publishing?
(B) If not, then do I need to purchase SSL certificate from trusted authority?
(C) Are there freely available trusted certificates services available?
Thanks
Self-signed certs do not work and yes, you need to get/use a trusted one form a known authority. If you can use App Engine, that works since it already has that. For development, either use http or use App Engine or even Google Drive (the last two support https).
I am working on an application in which i have to post certain data via HTTPS services. I am using a self signed certificate but i am not sure where to register this certificate in my device and i don't want to use inbuilt browser kit. As i understand if i use browser kit i can add my certificate and install under "user" certificate.
Is there any way to add this certificate at "system" level in android rather than at "user" level ?
Can someone suggest one who has worked on VPN would be more aware on it....
I am working on an application in which i have to post certain data via HTTPS services. I am using a self signed certificate
If you are using HttpURLConnection, OkHttp, or HttpClient, you can create an SSLContext that uses a TrustManager that supports your self-signed certificate. I have some support for this with my TrustManagerBuilder in my CWAC-Security library, and there are plenty of examples of how to do this yourself, such as this blog post, by searching for android sslcontext self-signed in your favorite search engine.
If you are using some library for HTTP access, find out where you can configure its SSL functionality, or contact the author of that library if there does not seem to be an option for this.
Is there any way to add this certificate at "system" level in android rather than at "user" level ?
Users can install certificates. I am not aware that apps can install certificates, though I cannot rule it out. However, unless this certificate is needed for other apps, not just yours, please just use the certificate from your own app.
We have a web service that should only be called by a specific Android app. What solutions are there for this problem?
The requirement is to not use authentication at all.
If it's only your client and your server, you can (and should) use SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server.
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.
I guess this will work with proper authentification in place. First post I just stumpled upon was this one:
Securing communication from android to a web service
Hope it helps =)
If you're absolutely certain this web service will only need to be accessed by authorized applications/devices, go with client-side SSL certificates and restrict access at the server to only clients with authorized certs. This has the bonus feature of forcing SSL at all times so you don't like auth secrets over an open channel. Here's a quick guide for Apache, but you could use nginx too:
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500