Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How and what server certificate to use with android SSL client certificate authentication

Tags:

android

ssl

ssl-certificate

I'm developing a network-enabled android application that uses SSL client certificates to authenticate and secure connections to my server.

I have two questions: (1) should I use a self-signed server certificate or a commercial one? And (2) should I include the server certificate inside the apk file that users install or should I have the application connect to my server to get the server certificate over the network (for the purpose of making the device trust the server cert)?

When I ask what I "should" do, I'm asking what are the benefits and disadvantages of each choice?

Right now I am using a self-signed certificate included with the apk file. When the user runs the app for the first time, it reads the included self-signed cert into the trust store so the device will connect to my server with no complaints. I suppose if I use a commercial cert then my question #2 might become moot, since the device may trust the cert from the server with no issues.

One more possibly-relevant detail: this application is not being distributed through the android market. Users will download the application from my server, so I can include whatever server certificate I want, including a different one for each user if I needed to.

I have my own ideas about the various advantages and drawbacks to each possible answer to my two questions, but I'm interested in what others--hopefully security minded--have to say on the matter.

Thanks in advance!

like image 775
Adam Mackler Avatar asked Nov 14 '22 23:11

Adam Mackler

1 Answers

I see no reason not to self-sign. I would have upped it a notch, though, and created my own certificate authority. This allows you to ensure that you will only connect to servers that has certificates that are signed by your custom CA, which is much better (i.e. actual crypto security) than a simple fingerprint check of the certificate on the server.

Here's an example of how to create a custom CA using Ruby's OpenSSL bindings. The procedure is the same in most languages. https://github.com/augustl/ruby-openssl-cheat-sheet/blob/master/certificate_authority.rb

You can of course also use a client certificate that has to be signed by your custom CA for your server to accept the request. Note that this will only be obscurity - an attacker will be able to extract the private key and custom CA signed cert from your app. If your app can make requests to the server, anyone can :)

like image 155
August Lilleaas Avatar answered Dec 23 '22 02:12

August Lilleaas
Sign in to Comment

Related questions

How can I get my ringtone to play in android?
window.location.href javascript does not trigger shouldOverrideUrlLoading
Simple check for Android application backgrounding
How to update array of items in an AlertDialog list built with AlertDialog.builder after creation
Android drawBitmap(...) method is slow?
How to set a callback when WebView has rendered data (is ready to be displayed)
Android Emulator is crashing a lot
Android MP3: java.io.FileNotFoundException: This file can not be opened as a file descriptor; it is probably compressed
Transfer an Image via Bluetooth in Android
Open asset file pdf in application
How to create multiple buttons at runtime? + android
Android Animation pause and play problem
How to Create an application for both tablet and mobile
How might I use the "Comic Sans" font for Android's TextView?
Android: Question about size/resolution independent applications?
Billing-in-app error
Android imeOptions and auto-pressing Login button
Butterknife vs AndroidAnnotations [closed]
Weights in Jetpack compose
How to draw a circle with a transparent middle

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!