1

I want to secure a Java REST backend service with two-way SSL, to prevent unauthorized access.

An Android APK needs to be signed to work, is possible to create a "trust" between my REST service and this APK, without using a hardcoded password from APK cert in client code?

The main idea is configurate the server two-way SSL to trust connections only from APK cert.

Luciano Jesus Lima
  • 11
  • 3

3 Answers3

1

is possible to create a "trust" between my REST service and this APK, without using a hardcoded password from APK cert in client code?

Not really. Your public key in the APK is just as "hardcoded" as a password. Anyone can go in and use that information to access your REST service.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
1

In order to perform two-way TLS/SSL you need to have a certificate with private key on the client device. The certificate used to sign the APK will result in the public key for the certificate on the device, but not the private key. You would want to avoid placing this private key on the device as it would allow others to sign APKs as you.

Instead of using the APK signing certificate for two-way TLS/SSL, you should consider using a separate certificate possibly generated per device during an initial registration process. This certificate would be installed to the Android KeyStore, and the public key from this certificate would need to be installed on the server hosting the backend REST service. This certificate would then act as client credentials in a similar manner to a username/password pair assigned to the device.

For an example using client certificates on Android see: http://chariotsolutions.com/blog/post/https-with-client-certificates-on/

Brice Williams
  • 588
  • 1
  • 4
  • 9
0

I think you can try with the answer from here and use the SHA of your key that you used to sign the apk..

It says something like this:

// Add code to print out the key hash
  try {
  PackageInfo info = getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES);
  for (Signature signature : info.signatures) {
  MessageDigest md = MessageDigest.getInstance("SHA");
  md.update(signature.toByteArray());
  Log.e("MY KEY HASH:", Base64.encodeToString(md.digest(), Base64.DEFAULT));
      }
  } catch (NameNotFoundException e) {

  } catch (NoSuchAlgorithmException e) {

  }

And you can save on the server side that key.. I think that is what Facebook or Google does for example..

Community
  • 1
  • 1
Cata
  • 11,133
  • 11
  • 65
  • 86