Re: [android-developers] SSL Android

On Fri, Sep 23, 2011 at 1:45 AM, Sivaprakash
<sivaprakashshanmugam@gmail.com> wrote:
> Hi
> I want to do a webservice call from my client app (HTTPs), With this
> following code I am able to connect and get the response successfully but
> want to know what I am doing is the correct one or not? Could some one
> review and tell me is this secured way of connecting ?

If you want to ensure security, hire an expert to review your codez, and
don't believe everything you see on the net. With that said, read on.

> I have followed steps which is explained
> in http://blog.synyx.de/2010/06/android-and-self-signed-ssl-certificates/

The so called 'EasyX509TrustManager' from that blog will accept *any*
self-signed certificate as long is it is time-valid (not expired). It doesn't
care whether it is your certificate or someone else's. There is no way
to do this correctly without creating a custom trust store for your
application and adding your self-signed certificate to it. Anything else
is trouble waiting to happen. There is a perfectly usable for this in the
SDK, don't know why people ignore it all the time. You just need to pass
a Keystore instance to the constructor:

http://developer.android.com/reference/org/apache/http/conn/ssl/SSLSocketFactory.html#SSLSocketFactory(java.security.KeyStore)

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en