The following is the first few sections of a chapter from The Busy Coder's Guide to Android Development, plus headings for the remaining major sections, to give you an idea about the content of the chapter.


The traditional approach to securing HTTP operations is by means of SSL. Android supports SSL, much as ordinary Java does. Most of the time, you can just allow Android to do its thing with respect to SSL, and you will be fine. However, there may be times when you have to play a more direct role in SSL communications, to handle arbitrary SSL-encrypted endpoints, or to help ensure that your app is not the victim of a man-in-the-middle attack.

This chapter will explore various SSL scenarios and how to address them.


Understanding this chapter requires that you have read the core chapters of this book, particularly the chapter on Internet access.

Basic SSL Operation

Generally speaking, SSL “just works”, for ordinary sites with ordinary certificates.

If you use an https: URL with HttpUrlConnection or WebView, SSL handshaking will happen automatically, and assuming the certificates check out OK, you will get your result, just as if you had requested an http: URL.

However, originally, requesting a download via DownloadManager with an https: scheme would result in java.lang.IllegalArgumentException: Can only download HTTP URIs. As of Android 4.0, SSL is supported. Hence, you need to be careful about making SSL requests via DownloadManager if your minSdkVersion is less than 14.

For example, the Retrofit and Picasso sample apps from the chapter on Internet access both use for their service endpoint. As a result, those requests — for the API JSON, at least — will go over SSL. You would need to log the URLs used for the image avatars to see whether StackExchange gives you https URLs or not.

Problems in Paradise

The preview of this section is presently indisposed.

Introducing Network Security Configuration

The preview of this section was abducted by space aliens.

SSL Problems and Network Security Configuration

The preview of this section was the victim of a MITM ('Martian in the middle') attack.

Other SSL Strengthening Techniques

The preview of this section was traded for a bag of magic beans.

Advanced Uses of CWAC-NetSecurity

The preview of this section is out seeking fame and fortune as the Dread Pirate Roberts.


The preview of this section was the victim of a MITM ('Martian in the middle') attack.