Modern Security in Android (part 6)
A fast guide to be safe
This post is related to my lastest talk about “Modern Security for Android Developers”.
Here is the list of the blogs in this series:
- Part 1 — Encryption Vol 1
- Part 2 — Encryption Vol 2
- Part 3 — Encryption Vol 3
- Part 4 — Biometric as Local Auth
- Part 5 — Native Code Modules
- Part 6 — SSL, TLS, Secure Data layer
This is the final part of the serial and probably the opening part of my second serial “Practical Network for Android Developers” that is gonna be available after this article.
In the Mobile world is common knowledge that you may need a couple of network services to make your app work, we usually assume that our services are gonna be okay if our connection is an https, but in reality, this is not completely true, putting some tools can make your request being available and sniffable from a Charles or a Wireshark.
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. To keep your app secure you need an SSL certificate, usually, your server needs to have a private key and a public key, your app, and your server will do a handshake, the server using a private key of a certificate that has been signed by public-key cryptography.
Whatsoever, a handshake does not prove anything, anyone can create one for any website, that’s why you need a Certificate Authority!
A Certificate Authority is an org or company that validates as an identity, if you work for FakeCompany, you can create one identify you as a website, email, or even person, this digital certificate is a cryptographic key, it gives us a way to authenticate us by using some credentials to validate us, and encrypts our data of communication over insecure networks, this helps us to make sure that nothing can be altered by any sniffer when transferring data, the certificate will create the two keys we need, a private and public, but will add a CSR, which is a file that includes information about the authority. We can have two types of CSR, one is CER and PFX
When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another parties, or validate documents that were signed with this authority.
CER: Commonly used by SSL to identify web servers
PFX: This contains cryptographic data of the authority, certificates chains, and private keys.
Both are cryptographically protected with passwords to keep private keys private and preserve the integrity of the certificates. Just ask your DevOps engineers for the certificate (if you don’t have this kind of team, just ask the person that make the server configuration)
You can add the certificate to your HttpClient call in a very simple way, let’s do it:
- You can keep your certificate in the Raw folder, if and only if, the password is not stored as plain text in your code.
- Once you do this you can create an instance of the Keystore, remember we want to have this secure, so this certificate should happen in a trusted execution environment, depending on the type of your certificate you need to create a default type instance or a PKCS12,
PKCS12 defines a file that is storing many cryptography objects as a single file AKA PFX. - We also need a KeyManagerFactory integration for X509
X.509 is a standard defining the format of public keys it contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a Certificate Authority or self-signed. - Once we have this KeyManagerFactory and our Keystore with the certificate, we can create an instance of SSL with TLS
Depending on what you are using, you can add this SSL integration to your HttpClient, for this example, is OkHttpClient, adding the SSL socket factory line
Using this, you made sure that your handshake will be secure and inaccessible for third parties and your data transfer will be secure!
This is all for this serial, thank you so much for keeping an eye on this, the serial was divided into multiple talks but you can found the final one on this website
In English at Droidcon EMEA
In Spanish at DevFestLatam
Slides are available at my Speaker Deck
If you need help:
I’m always happy to help, you can find me here:
Medium: https://medium.com/@dinorahto
StackOverflow: https://stackoverflow.com/users/4613259/dinorah-tovar
Happy Coding! 👩🏻💻
