Android prevents a person from getting into a medium attack for SSL

Question

Android prevents a person from getting into a medium attack for SSL

I use HTTPS in my Android app to communicate with my own API. When I sniff a package, I don’t see any information that is good. However, when I use software like Fiddler2 to install a trusted certificate on my Android, I see all my HTTPS calls in an explicit, which is dangerous.

The problem is so close to this guy, but not an iPhone on Android: hides iOS HTTPS calls from a violinist

I use the loopj library to call my https: Android Asynchronous Http Client http://loopj.com/android-async-http/

How can I deal with this vulnerability? (I know how to deal with it conceptually, but I need some code example)

+4

android ssl man-in-the-middle https

Alasiri Apr 6 '13 at 10:40

source share

1 answer

minipif · Accepted Answer · 2013-04-06T11:15:47+0000

When the user chooses to install the Fiddler2 certificate as a trusted root certificate, he then chooses to compromise his own security. I’m not sure that you can handle this, as your HTTPS connection will go through the Android certificate verification system, which will consider the connection as valid, since the certified one is trusted.

The solution I would like to use is to insert your SSL certificate into your application and tell your application that it is the only trusted certificate. It is safe and free, because you can attach a self-signed certificate that you created yourself, because you control the verification mechanism. See this blog article for sample code.

Android prevents a person from getting into a medium attack for SSL

More articles: