Reputation: 1179
Bidirectional SSL communication on Android?
I would like to send a request to a webserver. It should be secure against Man-In-The-Middle-Attacks. Therefore I have created a SSL certificate on the webserver (https). As a response I would get a random String. This works well.
But how can I secure the response to protect it against MITM-Attacks? How should the response be sent from the webserver to Android and what do I have to configure on Android? Do I have to buy another trusted certificate?
Upvotes: 1
Views: 142
Answers (1)
Reputation: 1342
In a typical as-called 1-way TLS (a.k.a "server certificate authentication") setup a server would listen requests from basically any client, but the clients would only trust the server with a valid certificate. When the client thinks it can trust the received certificate, the communication channel can be opened and it will be encrypted both ways.
As-called 2-way TLS (a.k.a "client certificate authentication" or "mutual authentication") setup means that both ends present a certificate to the other end. In other words your server would trust only certain clients (the ones that present a valid certificate). This would have no impact on your protection against MITM. You would just be limiting the pool of trusted clients.
So as a conclusion - if your only concern is to protect your communication against MITM-attacks, 1-way TLS is fine.
TLS v1.2: https://www.rfc-editor.org/rfc/rfc5246
Upvotes: 1
Related Questions
- Creating secure connection to https
- SSL request from Android app
- Avoid Man in Middle attack over SSL
- How to make below HTTPs connection over Android secure
- Android HTTPS Request
- Android prevent man-in-the middle attack for SSL
- using SSL on android
- android and ssl
- Android SSL support
- AndroidHttpClient need more info. Self-signed SSL. Possible?