android-selfsigned

General

Category
Free
Tag
Security
License
Apache License, Version 2.0
Min SDK
9 (Android 2.3–2.3.2 Gingerbread)
Registered
Aug 12, 2016
Favorites
0
Link
https://github.com/onehilltech/android-selfsigned
See also
Hardware Security SDK (FIDO)
Spring-Two-Factor-Auth-Android-App
Twitter digits authentication
Android-Password-Store
Android-PGP

Additional

Language
Java
Version
0.4.3 (Aug 11, 2016)
Created
Aug 9, 2016
Updated
Jun 24, 2019 (Retired)
Owner
One Hill Technologies (onehilltech)
Contributors
James H. Hill (hilljh82)
Zakary Kamal Ismail (ZakCodes)
2
Activity
Badge
Generate
Download
Source code

Advertisement

android-selfsigned

A simple library for supporting self-signed certificates in Android

  • Integrate with services that use self-signed certificates.
  • Preserve existing security measures on the mobile device.
  • Ideal for prototyping and testing using secure protocols.

NOTE. We strongly recommend that you purchase a certificate from a trusted authority when you move to production.

Installation

Gradle

buildscript {
  repositories {
    maven { url "https://jitpack.io" }
  }
}

dependencies {
  # Only include if using HttpsURLConnection
  compile com.github.onehilltech.android-selfsigned:android:x.y.z
  
  # Otherwise, use appropriate module for framework in use
  compile com.github.onehilltech.android-selfsigned:android-volley:x.y.
}

Getting Started

Manually define the list of hostnames/IP addresses that are using self-signed certificates. It is best to define the list as a resource so you can have different list for different Gradle configurations:

<resources>
    <string-array name="hostnames">
        <!-- localhost on the Android emulator -->
        <item>10.0.2.2</item>
    </string-array>
</resources>

Define an Application class to initialize the DefaultHostnameVerifier, which is used by HttpsURLConnection.

public class TheApplication extends Application 
{
  @Override
  public void onCreate ()
  {
    super.onCreate ();

    String [] hostnames = this.getResources ().getStringArray (R.array.hostnames);
    SelfSigned.getDefaultHostnameVerifier ().addAll (Arrays.asList (hostnames));
  }
}

Make sure you add the TheApplication class to AndroidManifest.xml.

<application
    android:name="[package].TheApplication"
    
    >
    
</application>

Add the public certificate to the application's assets. For example, if the certificate is in a file named server.crt, then it must be added to main/assets/server.crt (or the assets folder for the target configuration).

Now, determine the method for making secure requests:

android-volley

Volley uses HttpsURLConnection under the hood. If you do not set the default SSLSocketFactory, as explained above, then you can use the helper class to create a RequestQueue that supports self-signed certificates:

VolleySelfSigned.newRequestQueue (context, "server.crt")

Now, requests executed on the returned RequestQueue that interact with an hostname/IP address defined in the resources above will not throw the usual security exceptions.

HttpsURLConnection

First, create a SSLContext that uses the public certificate bundled as an asset:

SSLContext sslContext = AndroidSelfSigned.newSSLContext (context, "server.crt");

Attach the SSLContext to a HttpsURLConnection:

URL url = new URL ("https://10.0.2.2");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection ();
conn.setSSLSocketFactory (sslContext.getSocketFactory ());

You can even set the SSLContext as the default so you do not have to initialize the SSLSocketFactory for each HttpsURLConnection:

HttpsURLConnection.setDefaultSSLSocketFactory (sslContext.getSocketFactory ());

If you use this approach, it is best to do so in the Application class for your application.