How To Make App Communicate With Server
Secure Communication With the Server From Your Android Client With Certificate Pinning
Learn how to write proper security rules for your Android application
Security and privacy are some of the most difficult tasks for any Android developer and it's obvious because Android is an open-source platform and everyone knows how it works.
In this article, we're going to deal with secure communication in Android, mainly between client and server.
Introduction
Currently, the most common architecture of web services is REST-based on HTTP. The best protection method for this model of communication is the TLS/SSL standard.
It can be combined with the HTTP protocol to create an encrypted variant called HTTPS. HTTPS ensures safe, encrypted communication between apps and server.
Problem
It's c ommon for developers to implement networking calls over HTTPS, but not properly.
This can be solved by replacing the protocol name from HTTP to HTTPS in the URL. This will provide security to a certain extent by enabling TLS/SSL encryption by default (only if the server supports it).
However, this is not good enough to keep your data secure. Simply replacing the protocol enables the encryption, but the app will trust every certificate issued by the server.
This means that the hacker can create fake certificates. The certificates will then allow the hacker to intercept encrypted communication which is well-known as a man-in-the-middle attack.
It is the main reason why you should spend more time and effort to implement an HTTPS configuration correctly.
Solution
To avoid this threat, we should implement certificate pinning.
To do this, we need a server certificate with a fingerprint. We will compare the remote server certificate with the fingerprint while making the connection.
If they are identical, then it is a secure connection, otherwise, you should not do any data transfer as the connection is compromised.
There are three ways to implement certificate pinning in Android:
- Network security configuration.
- TrustManager.
- OkHttp and certificate pinning.
Network Security Configuration
This is one of the easiest ways and the native way to do certificate pinning in Android.
Unlike the other two methods, this configuration requires no coding but network security configuration has one flaw: it only supports Android N and above.
The network security configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and a specific app.
Network security configuration uses an XML file which has to be created under the res\xml directory and we need to declare this XML file in the manifest as shown below:
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application
android:networkSecurityConfig="@xml/network_security_config"
... >
...
</application>
</manifest> Now that we know how to create a network security file, it's time to configure it.
Here, we have two main tags, <base-config> and <domain-config>.
-
<base-config>is used to declare things or configurations that should be applied to the entire app, regardless of which domain holds the connection. - On the other hand,
<domain-config>is used to configure specific rules to only certain domains of your choice.
Have a look:
Here, we used the <base-config> tag to disable clear-text traffic which means only HTTPS service calls will happen throughout the app and also mentions to use system certificates for networking.
But, coming to <domain-config>, we've mentioned a specific domain and configured certain rules for it, like only use the certificate file in the res/raw directory to make a network connection with the "secure.example.com" domain.
Now that we know how to make use of the certificate, it's time we use certificate pinning. Here, we use the <pin-set> tag to configure a certificate with a particular pin as shown below.
TrustManager
This is one of the oldest methods to implement certificate pinning in Android.
TrustManager is responsible for deciding if the app should allow credentials given by the peer or not. This technique is from the javax.net.ssl package and we used it here to implement certificate pinning.
Step 1
Add your certificate file in the res/raw directory. It would be preferable if the certificate is in PEM or DER format without any comment lines in it.
Step 2
Initialize the KeyStore with a certificate as shown below:
Step 3
Now that we have the certificate instance it's time to initialize TrustManager.
Step 4
Now that we have the certificate and trust manager instances, let's complete the final step by creating the SSL context with TLS protocol and then create a secure SSL connection with the TrustManager.
OkHttp and Certificate Pinning
OkHttp is a very famous networking library from Square. Retrofit uses OkHttp for networking. The Okhttp team has made it very simple to implement certificate pinning.
First, we need to create a certificate pinner instance from the dedicated OkHttp CertificatePinner builder and then we add a domain and corresponding fingerprint to it.
Finally, add the builder to the OkHttp client. Have a look:
We can also add multiple fingerprints to the builder. This will be helpful to add additional fingerprints if the present one is going to expire. We can also import the certificate files to the resources folder, as shown in the TrustManager case.
Now, you need to manually write a class that will extract the fingerprint from the file. You can also use the Peer certificate extractor to extract fingerprints.
It's definitely not recommended to mention the fingerprints statically in the code. Mention them in the Gradle file as a build-config field.
Briefly About Certificates
There are almost 138 certificate authorities that are accepted by the Android ecosystem and the count increases every day.
You can add your self-signed, leaf, intermediate, or root certificate. Let me explain these certificates a bit more so that you'll have a good idea of what they are.
Leaf Certificate
By using a leaf certificate you are making it 100% sure that this is your certificate exactly, and you are establishing a secure connection.
Leaf certificates have a very short expiry time so you need to push the update to your app to make sure of the connectivity. It's highly recommended to use back-up keys.
Intermediate Certificate
By using an intermediate certificate you're depending on the intermediate certificate authority.
This method has an advantage. As long as you stick to the same certificate provider, then any changes to your leaf certificates will work without having to update your app. Using an intermediate certificate is secure only when your provider is trustworthy.
Root Certificate
By using the root certificate, you're depending on all of the intermediate certificates approved by the root certificate authority. If any of the intermediate certificates are compromised then there are chances for your app to be cracked by hackers.
Conclusion
My suggestion of using OkHttp with certificate pinning is the best way to go.
Although many of us prefer native network security configurations, as I said, it only supports Android N and above devices. There will be no complete protection with the native methods, yet.
Hopefully, in a year or two, the minimum android version will reach Android N and then we can use the native security configuration.
Thank you for reading.
How To Make App Communicate With Server
Source: https://betterprogramming.pub/secure-communication-with-the-server-from-your-android-client-with-certificate-pinning-5f53cea55972
Posted by: hallplover.blogspot.com
0 Response to "How To Make App Communicate With Server"
Post a Comment