Modern Security in Android (part 6)

Dinorah Tovar
Oct 29, 2020 · 4 min read

A fast guide to be safe

This post is related to my lastest talk about “Modern Security for Android Developers”.

Here is the list of the blogs in this series:

Image for post
Image for post
Modern Security for Android Developers

This is the final part of the serial and probably the opening part of my second serial “Practical Network for Android Developers” that is gonna be available after this article.
In the Mobile world is common knowledge that you may need a couple of network services to make your app work, we usually assume that our services are gonna be okay if our connection is an https, but in reality, this is not completely true, putting some tools can make your request being available and sniffable from a Charles or a Wireshark.

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. To keep your app secure you need an SSL certificate, usually, your server needs to have a private key and a public key, your app, and your server will do a handshake, the server using a private key of a certificate that has been signed by public-key cryptography.

Whatsoever, a handshake does not prove anything, anyone can create one for any website, that’s why you need a Certificate Authority!

A Certificate Authority is an org or company that validates as an identity, if you work for FakeCompany, you can create one identify you as a website, email, or even person, this digital certificate is a cryptographic key, it gives us a way to authenticate us by using some credentials to validate us, and encrypts our data of communication over insecure networks, this helps us to make sure that nothing can be altered by any sniffer when transferring data, the certificate will create the two keys we need, a private and public, but will add a CSR, which is a file that includes information about the authority. We can have two types of CSR, one is CER and PFX

Image for post
Image for post

When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another parties, or validate documents that were signed with this authority.

CER: Commonly used by SSL to identify web servers
PFX: This contains cryptographic data of the authority, certificates chains, and private keys.

Both are cryptographically protected with passwords to keep private keys private and preserve the integrity of the certificates. Just ask your DevOps engineers for the certificate (if you don’t have this kind of team, just ask the person that make the server configuration)

You can add the certificate to your HttpClient call in a very simple way, let’s do it:

  1. You can keep your certificate in the Raw folder, if and only if, the password is not stored as plain text in your code.
  2. Once you do this you can create an instance of the Keystore, remember we want to have this secure, so this certificate should happen in a trusted execution environment, depending on the type of your certificate you need to create a default type instance or a PKCS12,
    PKCS12 defines a file that is storing many cryptography objects as a single file AKA PFX.
  3. We also need a KeyManagerFactory integration for X509
    X.509
    is a standard defining the format of public keys it contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a Certificate Authority or self-signed.
  4. Once we have this KeyManagerFactory and our Keystore with the certificate, we can create an instance of SSL with TLS
Image for post
Image for post

Depending on what you are using, you can add this SSL integration to your HttpClient, for this example, is OkHttpClient, adding the SSL socket factory line

Image for post
Image for post

Using this, you made sure that your handshake will be secure and inaccessible for third parties and your data transfer will be secure!

This is all for this serial, thank you so much for keeping an eye on this, the serial was divided into multiple talks but you can found the final one on this website
In English at Droidcon EMEA
In Spanish at DevFestLatam
Slides are available at my Speaker Deck

If you need help:

I’m always happy to help, you can find me here:
Medium: https://medium.com/@dinorahto
StackOverflow: https://stackoverflow.com/users/4613259/dinorah-tovar

Happy Coding! 👩🏻‍💻

Dinorah Tovar

Written by

Google Developer Expert on Android | Doing Kotlin | Making Software 24/7 | Kotlin Multiplatform | She/Her | Opinions are my own, and not my employer

Knowing Android

Android development in Spanish and English | Desarrollo de Android en Español e Ingles

Dinorah Tovar

Written by

Google Developer Expert on Android | Doing Kotlin | Making Software 24/7 | Kotlin Multiplatform | She/Her | Opinions are my own, and not my employer

Knowing Android

Android development in Spanish and English | Desarrollo de Android en Español e Ingles

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store