I need to do this thing:
communicate using ssl from android terminal to a server;
each android client has its own certificate (we can say mutual authentication);
the ssl certificate must not be in the application (each person install his certificate on his phone).
How can I do it?
Obviously point 1) alone is easy (I build a keystore/truststore as explained in stackoverflow). The problem is in point 3).
Thanks,
Mario
If you are targeting Android 4.0 (ICS), you can use the system key store via the KeyChain API. For other versions, users need save their keystore somewhere (on the SD card/external storage, etc.) and let your app know where to find it.
Related
I am a newbie developing an Android app. It implements a socket connection and has to bypass or allow all host for it to work with our self-signed certificate installed on a server.
I heard that google play store doesn't accept this kind of connection in the published app. Is it true? Or there is another way to do it?
Thank you.
and had to bypass or allow all host in order to work with our self-signed certificate installed on server
That was not a particularly good move, from the standpoint of security.
I heard that google play store doesnt accept this kind of connection in the published app
The Play Store has implemented a ban on apps that bypass SSL validity checking and blindly accept all incoming SSL certificates.
Or there is another way to do it ?
Android 7.0+ has support for self-signed certificates. I backported that code to work on Android 4.2+. There are other libraries that offer self-signed certificate support, such as this one. There have been articles written on using self-signed certificates.
So what i would like is a secure connection between my phone (java) and my raspberry pi.
I already made a custom server with the help of autobahn wich is on my github (i can't post more link...).
And i don't understand why the client doesn't need any keys or anything to connect to the server.
I followed the readme here in order to create my key there (i know that i should not share them, but i will recreate my own keys when the project will be finished).
And i've found that for the Java-websocket module it needs some keystore to run. And i think that having a storepass and keypass like this in a .java is not secure at all, isn't it ?
what java need is the certificate to confirm the validity of the autosigned key.
the python client trust automatically all certificate.
Here is the server : https://github.com/flyingrub/SSWOD
And here the server : https://github.com/flyingrub/SecureKey
I saw that there were a few other Java and CAC posts on stackoverflow. I am a beginner with all of this stuff and I am still trying to a framework of what to do and where to go in my mind.
I am doing work for a big org that is using CACs with Windows 7 boxes to authenticate users who want to get into their PCs. They stick the CAC in their keyboard and type in a PIN.
My boss would like to alter our Java Webap such that it will not make the users authenticate if they have their CAC in their computer. If not, they will go through the traditional LDAP login.
We are using WebLogic 11g and Java 6.
From Googling around it seems like there are two approaches:
Implement an applet to read the user's CAC and send an SSL certificate to the webapp.
Implement "mutually SSL authentication" in the web server, which will cause the browser to send the SSL certificate on the CAC to the webapp
Do I have a correct appraisal of my options?
Which solution is easier?
Which will be less hassle, more robust in the long run?
I know next to nothing about SSL, which seems to be common in both solutions. I've found a few SSL tutorials that go on at length about abstract concepts. Can anyone recommend a good tutorial for what I want to do?
Thanks much in advance for any information or tips
Steve
Implement an applet to read the user's CAC and send an SSL certificate to the webapp.
Implement "mutually SSL authentication" in the web server, which will cause the browser to send the SSL certificate on the CAC to the webapp
You will want to do #2. You don't really want to have to mess with smart card hardware / software. Let the OS do all that work.
I've done this on IIS, but generically, to implement this, you will need to configure your web server to require client certificates and to trust the DoD CAs. You may need to configure your web server to advertise to clients which CAs it trusts. If the Win7 clients have a client cert that is signed by a CA you trust, the client will attempt to use it. If it's a smartcard certificate, Windows will automatically prompt the user for the pin; you don't have to worry about that. If the user types the correct pin, the cert will be sent to your web server which should then be able to validate the certificate with the CA. If it's a valid certificate, your software can then parse the fields in the certificate and use the values to help authenticate the user (ie whether, despite having a valid certificate, the user is actually allowed to login based on their name / email address/ etc). It's up to you how to handle it from there.
You will have a much easier time figuring this out and finding information if you forget that the users are using a smartcard or a CAC, and just start with the idea that you're going to use client certificates for authentication. Start by creating a self-signed CA test cert. Then create a server cert for your webserver and a client-certificate signed by your test CA. Add the test CA cert as trusted root cert on the client and the server. Then attempt to write a small test app that uses the client cert to authenticate to your webserver. Once you have that working, you can add the DoD CA and try to pull the info out of a CaC certificate.
good luck!
I would like to develop an own API for Android that will request "Signature" protection level and will be accessible for 'my" applications.
Idea is following:
"install" my own certificate into system certificates storage
sign "trusted" application with my own certificate
As a result during request from any application to my API system will check if this application is signed with an appropriate certificate. If my sertificate is installed into Android everything should be fine.
I'm going to prototype that approach, but if there is something obvious that can prevent me from doing that - please let me know.
The question:
how to install own certificate into system certificates storage (assuming we will build Android ourselves and can modify system (in a reasonable borders))?
Thank you very much.
P.S. I'm not very familiar with Java/Android development, so please don't mind if you see something strange.
UPDATE:
As I wrote in a comment to zeetoobiker's answer, If I sign my API with my own certificate then it will be accessible for all my applications (signed by my certificate), but it won't have any system permissions. And I don't want all my 'customers' to navigate to the "realmb.com/droidCert/" web site. Instead I want manufacturer to add my certificate into an OS, now I'm working on making a proof of concept.
I don't think you need to install the certificate.
From the permission docs for signature:
A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
This means that it's the certificate you use to sign the apps that matter (not any installed certificates) - if you sign App 1 and App 2 with the same certificate then it will have permission. If App 3 which is signed with a different certificate attempts to access the API then it will get a no permission exception.
According to the docs (I have to admit I've not done it although I'm looking at for some of my apps) it should work on vanilla Android without any necessary customisations / access to the device / root.
If you really need to install the root certificate, this may help but I don't think you do for your stated aim.
I want users to be able to install their own personal certificate into my Android application after installation from a website which generates the certificates, but when I use a WebClient or the Android Browser to surf to it, the Secure Storage pops up and installs it, which is unavailable by API until version 14 (Android 4.0), which my users do not have installed.
An example of such a site is http://www.comodo.com/home/email-security/free-email-certificate.php .
Here you can request a personal certificate, and after confirming, you get a link where you can download the certificate.
I want users to be able to download certificates from this website, and others, into my application.
Can anyone tell me which intent to handle to be able to get the certificate into my own application, or how to modify WebClient such that it allows me to decide what it should do with the file?
Thanks in advance,
Patrick
Since the Android keystore API is not public before ICS (4.0), you need to save the key and certificate to some file your app can access to be able to use them. If you require a standard password-protected Java keystore file and require password input for crypto operations, it would be reasonably secure.
You can import a key/certificate pair in pre-ICS versions using Settings->Location and security->'Install from SD card', but there is no public API to access those from your app, the can only be used by the built-in VPN client.