0

In my application I am using the AndroidHttpClient to send an https request to the server. In order to avoid man-in-the-middle attack, we may need to check whether the SSL certificate is issued by a trusted authority. Is there any way we can achieve this without using the HttpsURLConnection and certificate pinning in client ?

The android application needs to trust all the certificates issued by the trusted CA's.

Shyam
  • 871
  • 6
  • 15
  • 30
  • If by "AndroidHttpClient", you mean `android.net.http.AndroidHttpClient`, you really should be moving off of that and onto something else. The baked-in copy of Apache HttpClient in Android has been a bad idea for years, was deprecated in Android 5.1, and was removed from the SDK in Android 6.0. If you are referring to something else, you might wish to provide a link to it. – CommonsWare Oct 14 '16 at 19:27
  • Yeah, the app is using android.net.http.AndroidHttpClient, since the code base is really old. Do this need to be moved to javax.net.ssl.HttpsURLConnection to make it SSL secure ? – Shyam Oct 15 '16 at 06:06
  • If you are going into the code base to update your SSL handling, fix the rest of the HTTP access code as well, replacing `AndroidHttpClient` with just about anything else (`HttpUrlConnection`, OkHttp, etc.). And, if you do that, [my backport of Android 7.0's network security configuration](https://github.com/commonsguy/cwac-netsecurity) code can help you with limiting your SSL access to certain CAs. – CommonsWare Oct 15 '16 at 11:57
  • The app want only the basic ssl security feature. – Shyam Oct 15 '16 at 13:07

0 Answers0