Few questions about SSL on Android

Question

I write application which will need send very confidential data to HTTP server. Because of confidential of this data I need to secure connection as much as I can. I decided to use SSL via HTTP POST. My problem is that I'm really new in SSL securing and I have some doubt about the process of creating SSL app on Android. Can anybody tell me if I do everything well?

To create my application I do following steps:

1. I generate SSL key and certificate using OpenSSL and following this tutorial I need to give .key file to my team mate who write HTTP server so that he could configure apache and use this .key file to verify identity of the sender right?

2. I create .bks keystore following this tutorial Then I read this keystore using the same tutorial and then I can connect to server. Then server can verify my identity using .key file right?

Is this all what I need to create secure connection between my application and HTTP server? Do this will work properly and safety already?

Answer 1

1. Wrong. You need to generate a key pair: keep the private key private, give your mate the public key.

2. You don't seem to have read the tutorial you cited. It says there, correctly, that you can do the whole process with the keytool. There's no need to bring OpenSSL into it at all.

However the statement in the tutorial about the Apache thing being faster is grade A nonsense. Both it and the HttpsURLConnection class use JSSE under the hood, which uses java.net.Socket under the hood, whose speed is network bound in the first place. It would be truly miraculous if it was faster. Or slower. There might be other reasons to use it (I never have) but this isn't one of them. IMHO what is faster is to set a couple of system properties and use the built in stuff, instead of writing several yards of code.