Differences
This shows you the differences between two versions of the page.
|
osp:lectures:lecture-security2 [2016/12/11 18:40] laura.gheorghe [Practical] |
osp:lectures:lecture-security2 [2017/01/23 21:57] (current) laura.ruse [Lecture] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ===== 09 - Android Security (2) ===== | ===== 09 - Android Security (2) ===== | ||
| - | * Description: | + | * Description: SSL/TLS, JSSE API, Android JSSE providers |
| - | * Practical part: | + | * Practical part: HTTP, HTTPS, system trust store, custom trust store |
| ==== Lecture ==== | ==== Lecture ==== | ||
| - | *{{:osp:lectures:lecture-security-2.pdf | Lecture Slides}} | + | *{{:osp:lectures:lecture-security-2.pdf | Slides}} |
| + | *{{:osp:lectures:9.security2_notes.pdf | Notes}} | ||
| {{url>http://ocw.cs.pub.ro/courses/_media/osp/lectures/lecture-security-2.pdf}} | {{url>http://ocw.cs.pub.ro/courses/_media/osp/lectures/lecture-security-2.pdf}} | ||
| Line 16: | Line 17: | ||
| === Task 1 - Fetch web page through HTTP (3p) === | === Task 1 - Fetch web page through HTTP (3p) === | ||
| - | Create an application that downloads a web page through HTTP. The activity includes a text box and a button. The user introduces an URL and clicks on the button to obtain the contents of the web page. | + | Create an application that downloads a web page through HTTP. The activity includes an EditText, a Button and a TextView. The user introduces an URL and clicks on the button to obtain the contents of the web page. |
| - | When the button is clicked, check network connectivity through the **ConnectivityManager**. Then, perform network operations in an **AsyncTask**. Use **HttpURLConnection** for performing HTTP GET requests and **InputStream** for receiving the reply. | + | Steps: |
| + | * When the Button is clicked, check network connectivity through the **ConnectivityManager** | ||
| + | * Then, perform network operations in an **AsyncTask** | ||
| + | * Use **HttpURLConnection** for performing HTTP GET requests | ||
| + | * Get associated **InputStream** for receiving the reply | ||
| + | * The reply is displayed in the TextView | ||
| - | Resources: https://developer.android.com/training/basics/network-ops/connecting.html | + | Resources: |
| + | * https://developer.android.com/training/basics/network-ops/connecting.html | ||
| === Task 2 - Fetch web page through HTTPS (1p) === | === Task 2 - Fetch web page through HTTPS (1p) === | ||
| Line 26: | Line 33: | ||
| Modify the previous application in order to obtain web pages through HTTPS. Use **HttpsURLConnection**. | Modify the previous application in order to obtain web pages through HTTPS. Use **HttpsURLConnection**. | ||
| - | Resources: https://developer.android.com/training/articles/security-ssl.html | + | Resources: |
| + | * https://developer.android.com/training/articles/security-ssl.html | ||
| === Task 3 - Display system trust store (3p) === | === Task 3 - Display system trust store (3p) === | ||
| Line 34: | Line 42: | ||
| Modify the previous application in order to display the system trust store using **TrustManager**. | Modify the previous application in order to display the system trust store using **TrustManager**. | ||
| - | === Task 4 - Connect to a server with a certificate issued by an unknown CA - use a custom trust store (3p) === | + | Steps: |
| + | * Obtain an instance of **TrustManagerFactory** and initialize it | ||
| + | * Obtain an instance of the first **TrustManager** (**X509TrustManager**) | ||
| + | * Display information about each trust anchor (**X509Certificate**) | ||
| + | |||
| + | Resources: | ||
| + | * http://nelenkov.blogspot.ro/2011/12/using-custom-certificate-trust-store-on.html | ||
| + | |||
| + | === Task 4 - Use a custom trust store (3p) === | ||
| The previous application will not be able to fetch web pages on a server with a certificate that is issued by an unknown CA. For example: https://certs.cac.washington.edu/CAtest/, which uses certificate issued by UW Services Certificate Authority (which is not trusted by Android by default). Extend the application in order to be able to access this URL, by loading and using a custom trust store. | The previous application will not be able to fetch web pages on a server with a certificate that is issued by an unknown CA. For example: https://certs.cac.washington.edu/CAtest/, which uses certificate issued by UW Services Certificate Authority (which is not trusted by Android by default). Extend the application in order to be able to access this URL, by loading and using a custom trust store. | ||
| + | |||
| + | The steps for this task are almost similar to the ones for Task 2. | ||
| Steps: | Steps: | ||
| - | * Save certificate from server and put it in **res/raw/** | + | * Save certificate file from server and put it in **res/raw/** |
| * Load trusted CAs from file | * Load trusted CAs from file | ||
| * Create a **KeyStore** object and insert the trusted CAs | * Create a **KeyStore** object and insert the trusted CAs | ||
| - | * Obtain an instance of **TrustManagerFactory** and initialise it | + | * Obtain an instance of **TrustManagerFactory** and initialize it |
| - | * Obtain an instance of **SSLContext** and initialise it | + | * Obtain an instance of **SSLContext** and initialize it |
| * Create an **URL** object | * Create an **URL** object | ||
| * Obtain an **HttpsURLConnection** | * Obtain an **HttpsURLConnection** | ||
| Line 49: | Line 67: | ||
| * Read from an **InputStream** | * Read from an **InputStream** | ||
| - | Resources: https://developer.android.com/training/articles/security-ssl.html | + | Resources: |
| + | * https://developer.android.com/training/articles/security-ssl.html | ||
| + | * http://nelenkov.blogspot.ro/2011/12/using-custom-certificate-trust-store-on.html | ||
| | | ||
| - | |||
| - | |||
| - | |||
