09 - Android Security (2)

  • Description: SSL/TLS, JSSE API, Android JSSE providers
  • Practical part: HTTP, HTTPS, system trust store, custom trust store

Lecture

Practical

Task 1 - Fetch web page through HTTP (3p)

Create an application that downloads a web page through HTTP. The activity includes an EditText, a Button and a TextView. The user introduces an URL and clicks on the button to obtain the contents of the web page.

Steps:

  • When the Button is clicked, check network connectivity through the ConnectivityManager
  • Then, perform network operations in an AsyncTask
  • Use HttpURLConnection for performing HTTP GET requests
  • Get associated InputStream for receiving the reply
  • The reply is displayed in the TextView

Resources:

Task 2 - Fetch web page through HTTPS (1p)

Modify the previous application in order to obtain web pages through HTTPS. Use HttpsURLConnection.

Resources:

Task 3 - Display system trust store (3p)

The Android system includes a system (default) trust store, which includes a list of trusted Certificate Authorities (CAs).

Modify the previous application in order to display the system trust store using TrustManager.

Steps:

  • Obtain an instance of TrustManagerFactory and initialize it
  • Obtain an instance of the first TrustManager (X509TrustManager)
  • Display information about each trust anchor (X509Certificate)

Resources:

Task 4 - Use a custom trust store (3p)

The previous application will not be able to fetch web pages on a server with a certificate that is issued by an unknown CA. For example: https://certs.cac.washington.edu/CAtest/, which uses certificate issued by UW Services Certificate Authority (which is not trusted by Android by default). Extend the application in order to be able to access this URL, by loading and using a custom trust store.

The steps for this task are almost similar to the ones for Task 2.

Steps:

  • Save certificate file from server and put it in res/raw/
  • Load trusted CAs from file
  • Create a KeyStore object and insert the trusted CAs
  • Obtain an instance of TrustManagerFactory and initialize it
  • Obtain an instance of SSLContext and initialize it
  • Create an URL object
  • Obtain an HttpsURLConnection
  • Configure the HttpsURLConnection to use the SocketFactory from the SSLContext
  • Read from an InputStream

Resources:

osp/lectures/lecture-security2.txt ยท Last modified: 2017/01/23 21:57 by laura.ruse
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0