0

We have a REST web service with SSL enabled (HTTPS). We'd like to build a client that uses REST libraries like Retrofit to make request to the said service. The authentication we have is basic auth initially then followed by a token after.

Does android automatically encrypt the https headers ie. Authorization Code (Basic Auth)?

I'm asking because when using PostMan (client), I am able to see the Authorization in the HTTP Header. Not sure if I'm checking this correctly though.

Appreciate any feedback.

ads
  • 1,703
  • 2
  • 18
  • 35
  • Basic Auth only uses base64 encoding for the credentials in the header, there is no additional security so you must use SSL, which you are. – Philio Apr 15 '19 at 06:06
  • What @Philio mentioned is correct and apart from this, you can check out [this](https://stackoverflow.com/questions/187655/are-https-headers-encrypted). – bhavya_karia Apr 15 '19 at 06:26

1 Answers1

1

Does android automatically encrypt the https headers ie. Authorization Code (Basic Auth)?

There are no HTTPS headers. There are HTTP headers only. HTTPS is HTTP inside a TLS connection, which also means that all HTTP headers (including Authorization) are encrypted as TLS application payload.

Of course these headers are available in the client and server before encryption and after decryption and that's why you can see the plain headers there. TLS cares only about protecting the transport of the data between client and server against sniffing and modification, but does not protect the data at the endpoints of the communication.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • So if I were to use a tool to sniff the request, I will not see the password in clear text since this is through HTTPS and SSL? – ads Apr 15 '19 at 06:36
  • 1
    @ank: With passive traffic sniffing (Wireshark etc) you will not see the password. With an active man in the middle (like with [mitmproxy](https://mitmproxy.org/)) it is possible to sniff and modify the data, but if the client properly checks the certificate (like browsers do) this will result in a certificate verification error before any data are transmitted so hopefully the client will stop interacting with the malicious peer before any harm was done. – Steffen Ullrich Apr 15 '19 at 06:39