I would like to develop an own API for Android that will request "Signature" protection level and will be accessible for 'my" applications.
Idea is following:
"install" my own certificate into system certificates storage
sign "trusted" application with my own certificate
As a result during request from any application to my API system will check if this application is signed with an appropriate certificate. If my sertificate is installed into Android everything should be fine.
I'm going to prototype that approach, but if there is something obvious that can prevent me from doing that - please let me know.
The question:
how to install own certificate into system certificates storage (assuming we will build Android ourselves and can modify system (in a reasonable borders))?
Thank you very much.
P.S. I'm not very familiar with Java/Android development, so please don't mind if you see something strange.
UPDATE:
As I wrote in a comment to zeetoobiker's answer, If I sign my API with my own certificate then it will be accessible for all my applications (signed by my certificate), but it won't have any system permissions. And I don't want all my 'customers' to navigate to the "realmb.com/droidCert/" web site. Instead I want manufacturer to add my certificate into an OS, now I'm working on making a proof of concept.
I don't think you need to install the certificate.
From the permission docs for signature:
A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
This means that it's the certificate you use to sign the apps that matter (not any installed certificates) - if you sign App 1 and App 2 with the same certificate then it will have permission. If App 3 which is signed with a different certificate attempts to access the API then it will get a no permission exception.
According to the docs (I have to admit I've not done it although I'm looking at for some of my apps) it should work on vanilla Android without any necessary customisations / access to the device / root.
If you really need to install the root certificate, this may help but I don't think you do for your stated aim.
Related
For my education I often have to program math exercises for our site, which will be used in schools.
I had to port a .swf file to java applet, mainly because the .swf ran really slow.
The game/excercise worked fine in both Eclipse and my localhost, but when we put it on the site it always got blocked by Java.
I have read that you need a certificate, but that self signed certificates dont work.
I have tried to do it (Not sure if I was succesful), and the applet was still blocked.
What am I supposed to do to make it work?
Why don't you try Java Web Start instead of applets?
You chan check it at http://www.oracle.com/technetwork/java/javase/applet-migration-139512.html
From https://www.java.com/en/download/help/java_blocked.xml
Java has further enhanced security to make the user system less
vulnerable to external exploits. Starting with Java 7 Update 51, Java
does not allow users to run applications that are not signed
(unsigned), self-signed (not signed by trusted authority) or that are
missing permission attributes.
So, from Java 7 Update 51, users cannot run unsigned application (without a certificate), self-signed application (applications signed with a certificate that doesn't come from trusted authority), or applications missing Permission Attribute.
As the documentation says about self signed applications,
Applications of this type present the highest level of risk because
publisher is not identified and the application may be granted access
to personal data on your computer.
Also, as stated in the documentation, if you can still use self signed applications you need to add it to the exception site list,
As a workaround, you can use the Exception Site list feature to run
the applications blocked by security settings. Adding the URL of the
blocked application to the Exception Site list allows it to run with
some warnings.
We develop several Java apps for internal use within our company (jnlp). With Java 1.7u40 we are seeing a nasty warning that unknown publishers will not be allowed to run in future java releases.
I understand your jars need to be signed by a trusted CA for code signing ... self signing will not suffice. I don't like the fact that we now will have to pay just to sign our apps for internal use only. I truly must be misunderstanding something. Is there a way to code sign the jars so that they will continue to run with future java releases without the need to pay a CA (Verisign, etc)?
If your company runs an internal CA, then you can issue a code signing certificate from that. Most companies that use Active Directory will also have a CA deployed.
Another approach would be to run a script on all company machines that installs the code signing certificate into the trusted certificates store.
I've made a Java applet and I self signed it before, but due to security changes in recent Java updates, self signing no longer gives the applet the necessary permissions.
I need the applet to be able to read the local file system to use images and to be able to connect to a MYSQL database.
The applet used to work with the database when I self signed it, but not anymore.
In addition, many unknown users will be using the applet, so I won't have control over their machines.
Where can I get my applet professionally signed and if possible, is there another way to self sign that will make the applet work?
Purchase a certificate from any reputable certificate authority. Use that to sign your code. List of CAs
Or, some companies also do this: Sign the jars themselves, but pre-populate the JDK trust store with your (self created) CA cert. If you have control over the JRE that is installed on all user machines, you can place your certificate in JRE/lib/security/cacerts so that is trusted ahead of time.
update: This page (Java Control Panel Documentation) describes what type of signature is required for various client side security level settings:
As long as the applet 'phones home' to the DB & this demo. of the JNLP API file services1 works for the problem machines you should be set to go for a Plug-In 2 JRE (1.6.0_10+) JRE. And if the client has less than that, they should seriously look to update. The Deployment Toolkit Script can assist with that.
It is relevant in that:
It uses a self signed certificate
It allows a sand-boxed app. to read/write to the local file system.
An applet launched using JWS has access to the API.
This should only be considered a work-around. The correct way to solve the problem is to heed the advice offered to get a certified code certificate. Oracle seems to be heading towards making it so that unsigned or self-signed code will not just be sand-boxed, but entirely forbidden (& that is for the best).
As an aside re. DB access: For the protection of the DB. The applet should be forced to go through a 'public interface' (via the site that hosts the applet). Do not give the applet direct access to the DB. Otherwise hackers also have direct DB access.
I need to do this thing:
communicate using ssl from android terminal to a server;
each android client has its own certificate (we can say mutual authentication);
the ssl certificate must not be in the application (each person install his certificate on his phone).
How can I do it?
Obviously point 1) alone is easy (I build a keystore/truststore as explained in stackoverflow). The problem is in point 3).
Thanks,
Mario
If you are targeting Android 4.0 (ICS), you can use the system key store via the KeyChain API. For other versions, users need save their keystore somewhere (on the SD card/external storage, etc.) and let your app know where to find it.
I want users to be able to install their own personal certificate into my Android application after installation from a website which generates the certificates, but when I use a WebClient or the Android Browser to surf to it, the Secure Storage pops up and installs it, which is unavailable by API until version 14 (Android 4.0), which my users do not have installed.
An example of such a site is http://www.comodo.com/home/email-security/free-email-certificate.php .
Here you can request a personal certificate, and after confirming, you get a link where you can download the certificate.
I want users to be able to download certificates from this website, and others, into my application.
Can anyone tell me which intent to handle to be able to get the certificate into my own application, or how to modify WebClient such that it allows me to decide what it should do with the file?
Thanks in advance,
Patrick
Since the Android keystore API is not public before ICS (4.0), you need to save the key and certificate to some file your app can access to be able to use them. If you require a standard password-protected Java keystore file and require password input for crypto operations, it would be reasonably secure.
You can import a key/certificate pair in pre-ICS versions using Settings->Location and security->'Install from SD card', but there is no public API to access those from your app, the can only be used by the built-in VPN client.