-2

During the development period, my server uses a Self-signed CA certificate. The production server will use a real certificate.

With iOS, I am able to simply drag the certificate inside the emulator and it will be trusted from then on.

For Android, all the solutions I found involve code. I don't want to insert code in my application just for my testing. Is there a similar solution to what iOS offers?

Nathan H
  • 48,033
  • 60
  • 165
  • 247
  • I'm utterly opposed to this 'trust a self-signed certificate during testing' stuff. You *must* test the production deployment, not something else, and you must *not* introduce insecurities into your code 'for testing' or any other reason. It is genuinely terrifying to think how many of these 'for testing' systems have been deployed into production without having been de-'for testing'-ed. Don't do this. – user207421 Jan 27 '16 at 09:51
  • I do not have access to the production yet. And you are exactly right, I am asking how to test without introducing insecurities in my code, thats' exactly what I am saying. On iOS I can install the certificate on the emulator, so it does not introduce any bad code. – Nathan H Jan 27 '16 at 09:54
  • Oh and by the way, what world do you live in where you test directly on production?? – Nathan H Jan 27 '16 at 09:55
  • I didn't say anything about testing on production. I said you must test the production deployment. Same code, same configuration, no 'for testing' special cases. Otherwise you are testing nothing. – user207421 Jan 27 '16 at 10:02
  • But... you don't even know what I am testing? Anyway, I think this is counter-productive. I'll take your comments as "I don't know". – Nathan H Jan 27 '16 at 10:05
  • Possible duplicate of [Self Signed SSL acceptance Android](http://stackoverflow.com/questions/1217141/self-signed-ssl-acceptance-android) – gio Jan 27 '16 at 10:29
  • Thank you @gio but that links fails the "no code" idea. I don't want to insert code that would make the app unsafe. – Nathan H Jan 27 '16 at 13:26

1 Answers1

2

Is there a similar solution to what iOS offers?

No.

I don't want to insert code in my application just for my testing.

You are certainly welcome to use techniques like dependency injection, to make it easier for you to have alternative configurations in different build types.

During the development period, my server uses a Self-signed CA certificate.

Please note that regular SSL certificates are rather inexpensive.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491