Reputation: 1942
Adding trusted SSL Certificate to an app designed for API 8
I would like to use SSL for connections between my android app and the server hosting my web services.
I wanted to used a self-signed certificate and then use SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER
but then there would be a vulnerability to man-in-the-middle attacks, so I decided to use trusted certificates.
I am going to buy a certificate, but I wanted to know which CAs are the most trusted and how to generate a BKS
I checked this link and this one and opted for the the solution described in the first link, namely generating it with the bouncy castle library and loading it as a raw resource in the app. Is it a safe method, and will it work safely with devices using android 2.2 ?
I'm trying to learn how all of this work, but it's my first experience using certificates.
Thank you very much !
Upvotes: 0
Views: 436
Answers (1)
Reputation: 52936
A self-signed certificate is not inherently vulnerable to a man-in-the-middle attacks. Using the ALLOW_ALL_HOSTNAME_VERIFIER is though, so you shouldn't use it. As long as you properly set up your app to trust your self-signed certificate, and verify its validity properly there is really no security problem.
If you want to buy a certificate, just get one from a CA that comes bundled with Android 2.2, and you won't have to deal with custom trust stores and extra code: it will just work, because the system trusts the issuing CA.
Upvotes: 1
Related Questions
- How to add a SSL Certificate to an Android project?
- How can I add a SSL certificate on my apk?
- Forced to update certificate .pem in android app
- AppDevelopment: Create Certificate in app itself
- How to add a certificate to the Android trust store?
- android does not trust a certificate
- Android app SSL issue when trusting self signed certificate
- Android application with SSL
- Android: Work with an unsecure ssl certificate
- Error of ssl certificate not trusted in Android