Office Hours — Today, November 6

Saturday, November 3

Nov 6
8:55 AM
Mark M.
has entered the room
Mark M.
turned on guest access
Jamshaid A.
has entered the room
Mark M.
hello, Jamshaid!
how can I help you today?
Jamshaid A.
hello , i have question regarding network security config.As i understood that when the app only talks to your server there is a good reason to use client certificates.
The CWAC net backport do i have to only add the network security config .And just use any http library ?
or do i have to tell the library to use the certificate like its shown for okhttp
Mark M.
there is a native network security configuration feature in Android 7.0 -- CWAC-NetSecurity is a backport of that
9:00 AM
Mark M.
my backport works with OkHttp and to a lesser extent with HttpsURLConnection
if you wish to use network security configuration, and simply need some light support for older devices, CWAC-NetSecurity is a reasonable choice
Jamshaid A.
yes i am on android 4.4
Mark M.
if you are focusing on OkHttp, though, they have their own certificate pinning that you could use
Jamshaid A.
as i understood certificate pinning and client certificates are different things ? is that correct
i intend to use client certificates
Mark M.
neither CWAC-NetSecurity nor Android 7.0's network security configuration uses client certificates, at least as how I would use that term
well, OK, I suppose that is not really correct
Jamshaid A.
are Self-Signed Certificates not same as client certificates.I guess i termed it wrongly.The idea is that server has a certificate that i can also put in my app and then communicate
Mark M.
a self-signed certificate is not really a client certificate
or, rather, a server that is using a self-signed certificate does not require clients to use client certificates
9:05 AM
Mark M.
with network security configuration/CWAC-NetSecurity, for self-signed certificates, you do include the public certificate information in the app
and you reference it using a <certificates> element in <trust-anchors> in your configuration
OkHttp also supports self-signed certificates, though it is more complicated
since you can get regular SSL certificates for free from Let's Encrypt and other places, I am not certain what value there is in a self-signed certificate nowadays
Jamshaid A.
View paste 
we have our own android devices and server that exposes api that is to be only used by these devices.
So the idea was to authorization only devices that have the public certificate can communicate then
does this make sense :P
Mark M.
that seems reasonable, though it is an unusual scenario
relatively few developers have their own hardware :-)
Jamshaid A.
yes :)
9:10 AM
Mark M.
and, to be honest, if that hardware is running Android 4.4, you have *much* bigger security problems
Jamshaid A.
can u elaborate or hint what might be those problems
we do use wifi to connect these devices
Mark M.
um, well, like all the security problems that have been fixed over the past few years
Jamshaid A.
as i understand certificate pinning or self signed certificates will help with MITM attacks
Mark M.
Google isn't backporting most of those all the way to Android 4.4, as I understand it
certificate pinning or self-signed certificates are definitely good techniques for securing against MITM attacks
my point is that Android 4.4 itself is old
Jamshaid A.
that is true unfortunately we have only the possiblity to sign our apps with OEM certificates but nothing more than that
so can build apps using reflection and system previlages as far i understood
one more question was as the public certificate if somehow the app is decompiled will render the server unsecure
Mark M.
no
after all, for regular SSL, everybody has access to the public certifiate
er, certificate
that does not render all SSL-enabled servers insecure
Jamshaid A.
so the idea was that only our apps have the public certificate and then only those apps can communicate but if someone manages to get this they can call our backend apis ?
Mark M.
they can try
9:15 AM
Mark M.
SSL is not a replacement for authentication
Jamshaid A.
what would u suggest for such scenario what scheme would be a good secure way for authentication
Mark M.
I cannot really answer that, as it depends a lot on the app and client
standard SSL, including server self-signed certificates, exists to prevent those who have access to your network traffic from being able to do anything with it, as it is encrypted
Jamshaid A.
how are client certificates different form self signed ones bwt
Mark M.
a client certificate -- at least as how I would use the term -- serves to uniquely identify the client
you might use it for digital signatures or even encryption
it basically is like your server certificate, just in reverse
9:20 AM
Mark M.
the problem with client certificates is that if the client itself is compromised (e.g., somebody steals the hardware), those certificates are compromised and would have to be considered invalid on the server (e.g., do not accept anything digitally signed by them)
Jamshaid A.
what are the possibilities to have client certificates and then use them to communciate with server in android
Mark M.
I have not really used them in Android, so I cannot answer that, sorry
Jamshaid A.
okay thanks anyways
do u know of a good resource to learn about security and certificates
a good book may be for android
Mark M.
there are a variety of books on Android security, but I have not looked at them recently
and I do not know if any cover client certificates
9:25 AM
Mark M.
if Nikolay Elenkov has updated his book, his would be good
Jamshaid A.
i will look :)
Mark M.
looks like it is still the 2014 edition ("Android Security Internals")
Jamshaid A.
i have another question regarding syncadapter.If i have some data in my app i can have a background service sync the data when its advantageous to use sync adapter
when exactly the syncing happens the framework decides or can one hint the server when to sync?
Mark M.
personally, I have always found SyncAdapter to be far more pain than it is worth, which is why I do not cover it in my books
last I checked, the OS decides when to sync
Jamshaid A.
for instance if one has mutiple apps and they all authenticate to the same server i.e when facebook has both facebook and messenger then one should use sync adapter?
because it also requires the accountauthenticator stuff
also
though i guess that can be ignore if there is not authentication
Mark M.
I am not aware of any way that SyncAdapter would somehow be preferable if you have multiple apps installed on the client
9:30 AM
Mark M.
but, again, I have not worked with it much -- even Google is not really talking about it
Jamshaid A.
so if in general one wants to authenticate mutiple apps on a client device
Mark M.
that is far outside my realm of expertise, sorry
Jamshaid A.
what to do because for instance google or facebook have in the accounts setings their accounts showing up
okay :)
View paste 
thanks alot for your time helped alot.I will look for the rest in the book which is also just awesome.
And show up in the next chat hours . Goodday :)
Mark M.
have a pleasant day!
Jamshaid A.
has left the room
9:35 AM
Jamshaid A.
has entered the room
Jamshaid A.
P.S this question on stackoverflow where it states "The issue lies in that the self signed cert can't be used until it exists in the android TrustStore"
is not correct right ?
https://stackoverflow.com/questions/20747873/an...
9:40 AM
Jamshaid A.
https://nelenkov.blogspot.com/2011/12/using-cus... states thats true for andorid versions before 4.0
9:45 AM
Jamshaid A.
so its clear :P
Jamshaid A.
has left the room
Mark M.
the answer is a bit confusing
10:00 AM
Mark M.
turned off guest access

Saturday, November 3

 

Office Hours

People in this transcript

  • Jamshaid Ali
  • Mark Murphy