3

Im working on some JSON-based web service that is supposed to work with Android application.

I would like to encrypt data transport between client (android) and server (virtual server in datacenter).

I don't have to make sure that my server is my server, just data encryption.

I have no idea how to use HTTPS.

Do I just put my PHP files in private_html and use https://example.com url?

Kamil
  • 13,363
  • 24
  • 88
  • 183

4 Answers4

2

To use HTTPS, you don't have to do anything in the coding of your web service - it's all in your hosting. Here the are steps you can follow. The specific instructions differ in your hosting (IIS, Apache, AWS/Azure, etc), but you can google specifics on how to accomplish any of these steps for whatever host and application framework you decide.

  1. Buy an SSL certificate (there are many different vendors, but expect between $75-$200 for the certificate) based on the vendor, reputation, and level of security you need.

  2. Generate a certificate signing request (CSR) from the server you'll be hosting.

  3. Upload the CSR to the SSL vendor who will validate and provide the certificate for your use.

  4. Import the SSL certificate into your application server, and configure the site to use the certificate. For instance, if you're hosting Microsoft IIS, you'd import the SSL certificate and then add HTTPS bindings on 443 to the specific website hosting your web service.

Another point of security. Since you are deploying SSL, you don't have to do any application level encryption (assuming you are not putting sensitive information in query strings - use POST if you think you need to). You probably would want to implement some security to restrict access to your web service so only your app can access it. Best practice is some level of OAuth, but at a minimum some type of pre-shared key in the header of the request is a lot better than nothing.

Here are some additional sites for more information:

Jason W
  • 13,026
  • 3
  • 31
  • 62
  • So... Data encryption will work for data sent from server to device, but not from device to server (via POST/GET or whatever). Sorry about maybe stupid question, english is not my first language, I'm worried that I missunderstood something. – Kamil Oct 21 '14 at 02:01
  • Not stupid at all. Data encryption works both ways using SSL. Both your request and response are encrypted for any POST/GET or whatever when you use SSL. My second point was to be sure nobody else can access your web service endpoint by using either OAuth or a pre-shared header value that only your application knows so only your application can connect to your web service. – Jason W Oct 21 '14 at 02:08
  • Im aware of that. My question was only about "man in the middle" / sniffing protection. – Kamil Oct 21 '14 at 06:44
1

If you don't want to pay for a certificate, you can use certificate signet by your own CA and add the root certificates into your application using HTTPClient and keystores

Here there's some guides

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

http://developer.android.com/reference/org/apache/http/client/HttpClient.html

KeyStore, HttpClient, and HTTPS: Can someone explain this code to me?

http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/

Community
  • 1
  • 1
torrentalle
  • 643
  • 4
  • 10
0

You can limit users to use JUST and only HTTPS in apache, IIS or whatever do you use. If your client connects to your server, his communications will be likely to encrypted, because he is already using HTTPS. And for responsing in HTTPS you virtually cannot send HTTPS responses, as far as I know, unless that other side isn't also a website (for example, if you have your website, you could send such a response e.g. to Google). You should be okay to send data like http status codes (OK, NotModified, PageNotFound, ...), or if you want something more, or if it is a requirement, then there you still have JSON and you could encode it as well, with some encoding algorithms, or use binary JSON format.

Citrus
  • 1,162
  • 1
  • 16
  • 38
  • So... I cannot make apache->android encryption with https? I have to encrypt data "manually", in code? – Kamil Oct 15 '14 at 23:33
  • no, I think it is already encrypted as far as you use HTTPS, and I'm 99,9% sure that you will be okay with just JSON data on the server response part, which you can encrypt, if you insist so you can choose AES128 bit entropy encoding, which is more than fine for your needs – Citrus Oct 16 '14 at 05:50
  • 1
    `HTTPS` will encrypt your entire traffic. No need to encrypt it more. The goal of `HTTPS` is to ensure no data can be stolen with a sniffer. – GuyT Oct 19 '14 at 11:20
  • while true, but maybe he would do that for the sake of his sanity maybe :D – Citrus Oct 19 '14 at 14:26
0

Check if your hosting company provides a free public shared https address. Most of them do.

If you want to understand how to do it right, follow this thread

Warning: Don't stick with the solution below for production.

If you plan o use an https endpoint without a certificate you have to make sure to disable peer verification, check this answer

Community
  • 1
  • 1
Guilherme Viebig
  • 6,901
  • 3
  • 28
  • 30