0

I would like to use SSL for connections between my android app and the server hosting my web services.

I wanted to used a self-signed certificate and then use SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER

but then there would be a vulnerability to man-in-the-middle attacks, so I decided to use trusted certificates.

I am going to buy a certificate, but I wanted to know which CAs are the most trusted and how to generate a BKS

I checked this link and this one and opted for the the solution described in the first link, namely generating it with the bouncy castle library and loading it as a raw resource in the app. Is it a safe method, and will it work safely with devices using android 2.2 ?

I'm trying to learn how all of this work, but it's my first experience using certificates.

Thank you very much !

Community
  • 1
  • 1
Jerec TheSith
  • 1,932
  • 4
  • 32
  • 41

1 Answers1

1

A self-signed certificate is not inherently vulnerable to a man-in-the-middle attacks. Using the ALLOW_ALL_HOSTNAME_VERIFIER is though, so you shouldn't use it. As long as you properly set up your app to trust your self-signed certificate, and verify its validity properly there is really no security problem.

If you want to buy a certificate, just get one from a CA that comes bundled with Android 2.2, and you won't have to deal with custom trust stores and extra code: it will just work, because the system trusts the issuing CA.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84