On Wed, Mar 20, 2013 at 2:37 PM, Kenton Cross <[email protected]> wrote: > > I am developing an enterprise communications app to run on Android 4.0+. > This app has a native transport layer written in c/c++ which manages the SSL > connections with a SIP server. The native layer uses openSSL libraries for > the SSL connection. > > ... If you want to use Android Java, see http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ and https://github.com/moxie0/AndroidPinning/blob/master/java/org/thoughtcrime/ssl/pinning/PinningTrustManager.java (thanks Nikolay).
If you want to use native code with OpenSSL, see https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning and https://www.owasp.org/images/f/f7/Pubkey-pin-openssl.zip. Both demonstrate certificate and public key pinning to strengthen assurances on the server's identity. They also use the built-in validation, such as a valid chain under a PKI and validity checks. I'm *not* sure if the built-in mechanisms perform a revocation check (CRL or OCSP). If you are not aware of the problems with PKI{X} (and the need for tricks like pinning), you might want to check out Chapter 13 of Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). Jon Larimer and Kenny Root spent a fair amount of time on the subject of pinning at Google I/O 2012's "Security and Privacy in Android Apps" (cf, https://developers.google.com/events/io/sessions/gooio2012/107/); and the Google/Android Security Team offers it as an "opt-in" option for sites on Android (cf, http://groups.google.com/group/android-security-discuss/browse_thread/thread/f5898be7ee9abc48). In addition, Google has authored an Internet Draft specifying the practice (cf, http://tools.ietf.org/id/draft-ietf-websec-key-pinning-03.txt). My apologies for the bike shedding. There are a lot of surprises lurking in PKI for the unsuspecting. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
