SSL on Android: OnionKit
(In thanks to The Guardian Project for some assistance in assembling this material, I am blogging a portion of The Busy Coder’s Guide to Android Development Version 4.6 that covers SSL on Android. This is the fourth part of a four-part series. The other parts include:
Note that if you are reading this in late 2013 or beyond, the material in the book may be newer than these blog posts.)
The Guardian Project has released an Android library
project called OnionKit, designed to help
boost Internet security for Android applications. It offers two major features:
a replacement TrustManager called StrongTrustManager, and Tor integration.
StrongTrustManager offers pinning, as described in
the previous post,
along with a custom set of root certificates, based upon the certificates used by
the Debian Linux distribution. The custom set of root certificates addresses one annoyance
with Android: Android’s set of root certificates varies by OS version (and, occasionally,
by device due to changes from a device manufacturer). StrongTrustManager puts you
in control of the root certificates that are used, so you can eliminate roots that
you no longer trust (e.g., TURKTRUST), as you can tailor the root certificates that
StrongTrustManager uses by means of
the CACertMan utility, also published by
the Guardian Project.
OnionKit takes matters a step farther and helps your application integrate with Orbot, a Tor proxy. Tor (“The Onion Router”) is designed to help with anonymity, having your Internet requests go through a series of Tor routers before actually connecting to your targeted server through some Tor endpoint. Tor is used for everything from mitigating Web site tracking to helping dissidents bypass national firewalls. OnionKit helps your app:
- Detect if Orbot is installed, and help the user install it if it is not
- Detect if Orbot is running, and help you start it if it is not
- Make HTTP requests by means of Orbot instead of directly over the Internet
If the name “The Guardian Project” rings a bell, it may be because they were the ones who spearheaded the original development of SQLCipher for Android, a version of SQLite with automatic AES-256 encryption.
