开发者

HTTPS connection to exactly one site (Android)

开发者 https://www.devze.com 2022-12-17 05:51 出处:网络
I\'m creating an app for the Android platform which will connect with just one site using https. It is essential that it won\'t be able to connect to any other sites, even with valid SSL certificates.

I'm creating an app for the Android platform which will connect with just one site using https. It is essential that it won't be able to connect to any other sites, even with valid SSL certificates. I want it to be resistant to every form redirection (for example to site pretending to be the one I need to co开发者_运维问答nnect with) or other "attacks". Unfortunately I cannot find any good tutorial about SSL in Android... Do you know any? I'd be grateful for some links or advices. Or maybe could you give me some code snippets? My app is prepared to use HttpURLConnection or HttpClient - it makes no difference which path will I choose.

Thank you in advance :)


Hardcoding URL not going to solve this ?


If you're really that paranoid then hardcoding a URL is not safe as a URL can point to a different IP when your DNS server is poisoned. These is not likely to happen though.

Hardcoding IP's can help to avoidthis problem as the server is directly accessed without a DNS name resolution.


I would like to point out that the asker's paranoia is quite justified. Assuming the site has a certificate signed by a valid Certificate Authority, (and the app checks it), he should generally be safe, but as recent history has demonstrated, CAs are not completely infallible.

Hardcoding the URL, alone, does nothing to prevent Man-in-the-Middle attacks. If you know that you're only going to connect to one site, you can hardcode the site's certificate or public key into your app, a process known as certificate pinning. This ensures that unless someone gets a copy of the site's private key (in which case you're pretty much sunk, anyway), you are assured that you are communicating with that site, as only the holder of the site's private key can send messages decryptable with the site's public key. For reference:

Implementation:
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#Public_Key_Checks

General info:
http://www.netspi.com/blog/2013/04/01/certificate-pinning-in-a-mobile-application/

Paranoia is standard procedure when dealing with security issues, and with good reason.

0

精彩评论

暂无评论...
验证码 换一张
取 消