I am new to SSL. I am using the code given at https://developer.android.com/training/articles/security-ssl.html#HttpsExample and using it I am able to establish connection with my URL (verified by urlConnection.getResponseCode(), where urlConnection is of type HttpsURLConnection). Now my doubt is using this how do I ensure that I am communicating with the correct server? Without that I think there can still be MITM attack. In the link mentioned above there is some discussion about this, but I don't know how to check this using java code. Thanks for your valuable time and help.
Asked
Active
Viewed 533 times
0
-
Show your code please where you are able to establish connection... – B001ᛦ Jul 09 '15 at 15:12
-
1MITM attacks are only possible if you use on of the TrustManagers or HostNameverfier implementation posted frequentenly here on StackOverflow. – Robert Jul 09 '15 at 15:20
-
Are you using a self-signed or CA-signed server certificate? – Kevin Krumwiede Jul 09 '15 at 15:27
-
I am using a CA signed certificate – dejavu Jul 09 '15 at 18:07
1 Answers
0
To verify the right server, you've to pin the certificate. Please have a look at https://developer.android.com/training/articles/security-ssl.html#Pinning whereby a tutorial is given here http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/
Tobias S
- 1,275
- 8
- 23
-
1Pinning the certificate is an additional security measure. By default hostname + Android certificate validation are secure. – Robert Jul 09 '15 at 15:19