I'm developing a network-enabled android application that uses SSL client certificates to authenticate and secure connections to my server.
I have two questions: (1) should I use a self-signed server certificate or a commercial one? And (2) should I include the server certificate inside the apk file that users install or should I have the application connect to my server to get the server certificate over the network (for the purpose of making the device trust the server cert)?
When I ask what I "should" do, I'm asking what are the benefits and disadvantages of each choice?
Right now I am using a self-signed certificate included with the apk file. When the user runs the app for the first time, it reads the included self-signed cert into the trust store so the device will connect to my server with no complaints. I suppose if I use a commercial cert then my question #2 might become moot, since the device may trust the cert from the server with no issues.
One more possibly-relevant detail: this application is not being distributed through the android market. Users will download the application from my server, so I can include whatever server certificate I want, including a different one for each user if I needed to.
I have my own ideas about the various advantages and drawbacks to each possible answer to my two questions, but I'm interested in what others--hopefully security minded--have to say on the matter.
Thanks in advance!
I see no reason not to self-sign. I would have upped it a notch, though, and created my own certificate authority. This allows you to ensure that you will only connect to servers that has certificates that are signed by your custom CA, which is much better (i.e. actual crypto security) than a simple fingerprint check of the certificate on the server.
Here's an example of how to create a custom CA using Ruby's OpenSSL bindings. The procedure is the same in most languages. https://github.com/augustl/ruby-openssl-cheat-sheet/blob/master/certificate_authority.rb
You can of course also use a client certificate that has to be signed by your custom CA for your server to accept the request. Note that this will only be obscurity - an attacker will be able to extract the private key and custom CA signed cert from your app. If your app can make requests to the server, anyone can :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With