The Android platform provides libraries and methods to communicate with the servers by using secure network protocols such as HTTPS, and forming the underpinnings of PKI (Public-Key Infrastructure) implementations. The protocol of SSL\/TLS is designed to enhance the security, but incorrect use of the libraries of Android platform can expose applications to MiTM attacks. In such attacks, the attackers can interpret the traffic flowing from the application to the server or vice versa and may:<\/p>\n
- \n
- be eavesdropping and accessing the data sent by the server or the application<\/li>\n
- modify the intercepted data or replace it with malicious code or data and re-introduce it in the application and redirect the traffic to an entirely new destination, which is controlled by the attacker.<\/li>\n<\/ul>\n
Vulnerable Play Store<\/h3>\n
On July 17 2014, a team of experts at FireEye, reviewed as many as 1000 free applications from Google Play, which are very popular and are downloaded the most. Out of these 1000 applications, 68% (~ 614 applications) had at least one out of three SSL vulnerabilities. The number of vulnerable applications found in each category is presented in the image below:<\/p>\n
![\"ssl](\"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2014\/10\/ssl-vulnerabilities-in-top-100-google-play-store-applications1.png\")
<\/p>\nHow to Secure An Android App?<\/h3>\n
Following main steps are involved in securing the connection from a trusted Certificate Authorities CA:<\/p>\n
Step 1<\/strong> \u2013 Obtain all the required certificates (including root and any intermediate Certificate Authorities)
\nStep 2<\/strong> \u2013 Next, create a keystore with a keytool and the BouncyCastle provider and import the certificates.
\nStep 3<\/strong> \u2013 Load the keystore into the Android applications and establish secure connections<\/p>\nNOTE:<\/strong> Experts recommend not to use the standard java.net.ssl.HttpsURLConnection<\/em><\/strong> for securing the connection. Instead, it is advisable to use the Apache HttpClient<\/strong><\/em> (currently at Version 4) library, as it is already a built-in feature in Android. It is built on top of the java connection libraries and is considered faster, well modularized, and easy to understand.<\/p>\n
Step 1 \u2013 Obtain the Certificates<\/h3>\n
In this step, you have to obtain all the certificates that are involved in building a chain from the endpoint certificate until Root CA, including Intermediate certificates as well, if any. However, it is not necessary to obtain the endpoint certificate.<\/p>\n
If provided, users can obtain those certificates from the chain included in the endpoint certificate. Alternatively, they can obtain the certificates from the official site of the issuer.<\/p>\n
Please make sure to save all the obtained certificates in the Base64 encoded X.509 format. The content should be looking like this:<\/p>\n
1-----BEGIN CERTIFICATE-----\r\n2MIIGqTC.....(continues)\r\n3-----END CERTIFICATE-----\r\n<\/pre>\n
Step 2 \u2013 Keystore Creation<\/h3>\n
To start with, download the BouncyCastle<\/em> package and carefully store it at a known location. At this stage, please make sure you can invoke the keytool<\/em> command, which is usually located under the bin folder of the JRE installation.<\/p>\n
Next, import the obtained certificates (not the endpoint certificate) into a BouncyCastle<\/em> formatted keystore. It is advisable to import the certificates starting with the lowermost Intermediate certificate and then gradually moving all the way up to the Root CA certificate.<\/p>\n
After giving the following command, a new keystore with password \u2018mysecret<\/em>\u2019 will be created and the Intermediate CA certificate will be imported. Please execute this command for all the certificates:<\/p>\n
keytool -importcert -v -trustcacerts -file \"path_to_cert\/interm_ca.cer\" -alias IntermediateCA -keystore \"res\/raw\/myKeystore.bks\" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath \"path_to_bouncycastle\/bcprov-jdk16-145.jar\" -storetype BKS -storepass mysecret\r\n<\/pre>\n
Now verify if the certificates are imported in a correct manner into the keystore:<\/p>\n
keytool -list -keystore \"res\/raw\/myKeystore.bks\" -provider\r\norg.bouncycastle.jce.provider.BouncyCastleProvider -providerpath \"path_to_bouncycastle\/bcprov-jdk16-145.jar\" -storetype BKS -storepass mysecret\r\n<\/pre>\n
Should output the whole chain<\/p>\n
RootCA, 22.10.2010, trustedCertEntry, Thumbprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93\r\nIntermediateCA, 22.10.2010, trustedCertEntry, Thumbprint (MD5): 98:0F:C3:F8:39:F7:D8:05:07:02:0D:E3:14:5B:29:43\r\n<\/pre>\n
Now, the keystore can be copied as a raw resource in the android application under res\/raw\/<\/p>\n
Step 3 \u2013 Use the Keystore in the Application<\/h3>\n
First, the user needs to create a custom Apache HttpClient that uses this keystore for HTTPS connections:<\/p>\n
public class MyHttpClient extends DefaultHttpClient {\r\n\r\nfinal Context context;\r\n\r\npublic MyHttpClient(Context context) {\r\nthis.context = context;\r\n}\r\n\r\n@Override\r\nprotected ClientConnectionManager createClientConnectionManager() {\r\nSchemeRegistry registry = new SchemeRegistry();\r\nregistry.register(new Scheme(\"http\", PlainSocketFactory.getSocketFactory(), 80));\r\n\/\/ Register for port 443 our SSLSocketFactory with our keystore\r\n\/\/ to the ConnectionManager\r\nregistry.register(new Scheme(\"https\", newSslSocketFactory(), 443));\r\nreturn new SingleClientConnManager(getParams(), registry);\r\n}\r\n\r\nprivate SSLSocketFactory newSslSocketFactory() {\r\ntry {\r\n\/\/ Get an instance of the Bouncy Castle KeyStore format\r\nKeyStore trusted = KeyStore.getInstance(\"BKS\");\r\n\/\/ Get the raw resource, which contains the keystore with\r\n\/\/ your trusted certificates (root and any intermediate certs)\r\nInputStream in = context.getResources().openRawResource(R.raw.mykeystore);\r\ntry {\r\n\/\/ Initialize the keystore with the provided trusted certificates\r\n\/\/ Also provide the password of the keystore\r\ntrusted.load(in, \"mysecret\".toCharArray());\r\n} finally {\r\nin.close();\r\n}\r\n\/\/ Pass the keystore to the SSLSocketFactory. The factory is responsible\r\n\/\/ for the verification of the server certificate.\r\nSSLSocketFactory sf = new SSLSocketFactory(trusted);\r\n\/\/ Hostname verification from certificate\r\n\/\/ http:\/\/hc.apache.org\/httpcomponents-client-ga\/tutorial\/html\/connmgmt.html#d4e506\r\nsf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);\r\nreturn sf;\r\n} catch (Exception e) {\r\nthrow new AssertionError(e);\r\n}\r\n}\r\n}\r\n<\/pre>\nWith this step, the custom HttpClient is created, which can be used for secure connections.<\/p>\n
Read Other Important Resources<\/h3>\n
- \n
- How to Reduce Vulnerabilities & Online Malware Attacks on Android Devices<\/a><\/li>\n
- Understanding WildCard SSL validation for the Android Platform<\/a><\/li>\n
- Mobile Cloud Computing \u2013 The Future of Mobile Applications<\/a><\/li>\n
- Enable Two-Factor Authentication \u2013 An All-in-One Guide<\/a><\/li>\n<\/ul>\n
<\/br><\/p>\n
SSL Certificates for Android Apps<\/h3>\n
\n![\"RapidSSL](\"\/blog\/wp-content\/uploads\/2018\/09\/rapidssl-small-logo.png\")
<\/div>\n\nSecure Android Webstore through an SSL Certificate from the most popular SSL brands like RapidSSL, GeoTrust, Thawte, and Symantec.<\/p>\n
- Understanding WildCard SSL validation for the Android Platform<\/a><\/li>\n
- How to Reduce Vulnerabilities & Online Malware Attacks on Android Devices<\/a><\/li>\n