Group Group Group Group Group Group Group Group Group

Securing Network Data Tutorial for Android | Ray Wenderlich


#1

In this Android tutorial, you’ll learn how to keep your information private by securing network data in transit.


This is a companion discussion topic for the original entry at https://www.raywenderlich.com/5634-securing-network-data-tutorial-for-android

#2

Is this training the same for java?


#3

@cano33 Yes it’s exactly the same, especially the Certificate and Public Key Pinning which relies mostly on configuration files. The classes used are all accessible from Java so you could write it that way. For example, the Enforcing HTTPS section would look like this:

URL url = new URL("https://example.com");
HttpsURLConnection httpsURLConnection = (HttpsURLConnection)url.openConnection();
httpsURLConnection.connect();

#4

I want all the links to my app hidden against MITM attacks. How can I do this in the main activity? Thats possible or do I need to write a separate code for each url?


#5

@nsdestr0yer Can you please help with this when you get a chance? Thank you - much appreciated! :]


#6

Hi @cano33 - The Understanding Certificate and Public Key Pinning section of the article covers exactly this. Implementing certificate pinning can save you from MITM attacks. In order to implement pinning on Android N and higher, you need to add a hash (called pins) of the certificate into a network_security_config.xml file. Let me know if you have any trouble with the instructions in the tutorial for this.

I notice you also said all links to your app so I’m not sure if you also mean Intents and Broadcasts. To broadcast data to more than one app, you should enforce that only apps signed with your signing key will get the data. Otherwise, the information you send can be read by any app that registers to receive the broadcast. If you arn’t sending or registering to receive broadcasts then this doesn’t apply.


#7

thank you so much for fast reply…
and latest question…in my project im using asynchttp client. and i dont know how can i integrate thats code in my app. can u help for integrate. i hope u help me

private void getCategory() {

AsyncHttpClient client = new AsyncHttpClient();
client.get(Constant.CATEGORY_URL, new AsyncHttpResponseHandler() {

@Override
public void onStart() {
super.onStart();
showProgress(true);
}

@Override
public void onSuccess(int statusCode, Header[] headers, byte[] responseBody) {
showProgress(false);
String result = new String(responseBody);
try {
JSONObject mainJson = new JSONObject(result);
JSONArray jsonArray = mainJson.getJSONArray(Constant.ARRAY_NAME);
JSONObject objJson;
for (int i = 0; i < jsonArray.length(); i++) {
objJson = jsonArray.getJSONObject(i);
ItemCategory objItem = new ItemCategory();
objItem.setCategoryId(objJson.getString(Constant.CATEGORY_CID));
objItem.setCategoryName(objJson.getString(Constant.CATEGORY_NAME));
objItem.setCategoryImage(objJson.getString(Constant.CATEGORY_IMAGE));
mListItem.add(objItem);
}
} catch (JSONException e) {
e.printStackTrace();
}
displayData();
}

@Override
public void onFailure(int statusCode, Header[] headers, byte[] responseBody, Throwable error) {
showProgress(false);
lyt_not_found.setVisibility(View.VISIBLE);
}

});


#8

@nsdestr0yer Do you have any feedback about this? Thank you - much appreciated! :]


#9

Hi there! I see the AsyncHTTPClient lets you work with a configured SSLContext:
https://people.apache.org/~simonetripodi/ahc/ssl.html

Without having to do all the underlying work yourself, check out https://github.com/datatheorem/TrustKit-Android and see their example in the Initializing TrustKit with the Pinning Policy section.

There you will see it sets up a socket factory that can be used with what ever library you’re using.

So can call setSSLSocketFactory on the AsyncHTTPClient instance. For your code example, that would look like this:

client.setSSLSocketFactory(TrustKit.getInstance().getSSLSocketFactory(Constant.serverHostname));

before the client.get statement.

Let me know if you run into any problems, thanks!


#10

This tutorial is more than six months old so questions are no longer supported at the moment for it. Thank you!


#11