Android secure communications: JSSE or Apache Http?

Question

After having all kinds of problems taking my functioning JSSE-based HttpsURLConnection implementation using a custom truststore on Windows to Android I have come across a number of issues that I cannot get answers to: (the Android app still does not work)

1. Does Android 4.0 still only support the BKS format for keystores and truststores (and not JKS)? My Windows application used JKS.

2. Is JSSE or ApacheHttp better to use for secure TLS communications on the Android platform? (My Windows application used JSSE HttpsURLConnection and friends)

Before I start struggling with getting custom truststores working on Android I would like to know if using JSSE is barking up the wrong tree. Surely there must be a reason for having both of these APIs available! Then again, maybe not.

Answer 1

The Android system trust store has been extended in ICS, and now lets you install trusted certificates. After you do, they will be picked up by the default TrustManager and both HttpClient and HttpsUrlConnection should just work, no need for a custom store. More details here. The JKS format is proprietary, and is most likely not supported.

Apache HttpClient is more flexible and has more expressive API, but the Android team has stated that they will only improve HttpConnection from now on. So, for newer platforms, that should probably be your choice if you can bear with the API. BTW, on Android, both are using the same JSSE implementation based on native OpenSSL code. Certificate verification is, however, done in Java and is largely based on the BouncyCastle code.

Update: some sample code on how to do this with both HttpClient and HttpsURLConnection:

https://github.com/nelenkov/custom-cert-https

Related blog post:

http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html