1

My app is currently accepting all the untrusted certificates with "EasySSLSocketFactory". I would like to follow the web browser behavior, which it is showing the certificate information and asking the user add the certificate to a trusted store or cancel it.

Does anybody knows how to do it? Thanks.

jww
  • 97,681
  • 90
  • 411
  • 885
Anel Rojas Hernández
  • 321
  • 1
  • 2
  • 15
  • Also see [moxie0/AndroidPinning](https://github.com/moxie0/AndroidPinning) on GitHub. Its a Trust-On-First-Use (TOFU) scheme. Combine Pinning with customary X509 validations, and its a more secure system (better than what the browser provides with the CA zoo). – jww Aug 05 '14 at 23:42
  • My app has more than 1000 users and they might use their self-certificate. It seems that Android Pinning needs some pins of these certificates. Am I right? But I can't ask those pins to the users because it will be too many. Or the new users won't be able to use the app – Anel Rojas Hernández Aug 06 '14 at 01:23
  • 1
    Two use cases: (1) if the cert is issued by a trusted authority, then don't prompt the user. Pin the certificate and look for unexpected changes. (2) if the cert is self signed, then trust it on first use and don't prompt the user. In both cases: pin the certificate. Then: (3) if the public key changes unexpectedly (the pin is broken), then prompt the user and warn them something is wrong. You might also want to familiarize yourself with Peter Gutmann's [Engineering Security](http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). He talks about all of it and more... – jww Aug 06 '14 at 01:37
  • Thanks for the quick response. This can be a stupid question, but how can I pin the certificate? And how secure is it? – Anel Rojas Hernández Aug 06 '14 at 01:56

1 Answers1

1

You need to show your own pop dialog for the cases you want to prompt to user. Read this

You need to set your own level of verification.

Refer Accepting a certificate for HTTPs on Android

Community
  • 1
  • 1
AnkitSomani
  • 1,152
  • 8
  • 9
  • Let me see if I understand, because I'm little rusty about this topic. My app has more than 1000 users, and every user might has its self-certificate, so what I'm doing it's to trust all the certificates with EasySSLSocketFactory,but now I want to ask them if they want to add it. As you can see I can't get the certificate users and load them in the app as it's suggesting the android developer page. And I'm not very familiar with the "pinning" concept. Can I use that for this case that I want? – Anel Rojas Hernández Aug 06 '14 at 01:17
  • 1
    Ok, BTW, did you get chance look at : http://nelenkov.blogspot.com/2012/12/certificate-pinning-in-android-42.html – AnkitSomani Aug 06 '14 at 20:15
  • Ok, I saw it, but it seems that I a need a pin certificate, I'm not sure if I can get every pin certificate of my users, because what happen if a new user comes up and it has a self-signed certificate in his server, he won't be able to login to my app, right? – Anel Rojas Hernández Aug 06 '14 at 23:03
  • At the end I resolved it, creating my own level of verification. Thanks to these links https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning ----- http://nelenkov.blogspot.com/2012/12/certificate-pinning-in-android-42.html – Anel Rojas Hernández Oct 07 '14 at 20:45