如何从代理后面的Android应用通过HTTPS访问服务?
[英]How to access services over HTTPS from Android app behind proxy?
问题描述
My Android app makes some web-service calls over HTTPS. 
我的Android应用通过HTTPS进行了一些网络服务调用。 Therefore users behind proxy (mostly in corporate networks) were unable to use the app. 因此,代理(主要在公司网络中)后面的用户无法使用该应用。 So I added a custom HostnameVerifier : 所以我添加了一个自定义的HostnameVerifier:
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
This fixes the problem, but also sends an open invite to MITM attackers. 这样可以解决问题,但也可以向MITM攻击者发送公开邀请。 What kind of checks should I add to the HostnameVerifier ? 我应该对HostnameVerifier添加哪些检查? I also came across recommendations for using custom TrustManagers and adding my certificate there - but noone talks about what would happen if I ever update my server certificate - users won't be able to use the app unless I push an app update with new SSL certificate (and they download the app). 我还遇到了有关使用自定义TrustManager并在其中添加证书的建议-但是没有人谈论我更新服务器证书会发生的情况-除非我用新的SSL证书推送应用程序更新,否则用户将无法使用该应用程序(然后他们下载了该应用)。
In a nutshell, my question is how to make an app accessible behind proxy, yet not susceptible to MITM. 简而言之,我的问题是如何使应用程序在代理之后可访问,而又不受MITM的影响。 Or is it not possible ? 还是不可能? If not possible, do we "leak" our passwords while accessing a banking website if using behind proxy ? 如果不可能,如果使用后台代理,我们是否在访问银行网站时“泄漏”密码?
1 个解决方案
解决方案1
1 已采纳 2015-07-24 08:54:32
A simple http proxy does not make any changes to the https communication, so everything should work without changes to certificate validation as long as the proxy is used the way it should be done, ie configured as proxy for the browser and not used as special URLs like https://proxy.example.com/tunnel?site=https://site.example.org . 一个简单的http代理不会对https通讯进行任何更改,因此只要使用代理的方式即可完成所有工作,而无需更改证书验证,即将其配置为浏览器的代理,而不用作特殊的URL像https://proxy.example.com/tunnel?site=https://site.example.org 。
Then there are proxies and firewalls which do SSL interception to scan encrypted connections for malware etc. In these cases the hostname of the certificate usually matches, but the issuer is different and not trusted by the OS. 然后是代理和防火墙,它们执行SSL拦截以扫描加密的连接中是否存在恶意软件等。在这些情况下,证书的主机名通常匹配,但是颁发者是不同的,并且不受操作系统信任。 In this case this issuers CA certificate has to be imported as trusted into the OS. 在这种情况下,必须以信任的方式将此发行方CA证书导入OS。 For Android this is a central setting and does not depend on the application. 对于Android,这是一个中心设置,并不取决于应用程序。
Never ever you should simple disable parts of the certificate validation to make it easier for the user, because you then open your application against man-in-the-middle attacks. 绝对不要简单地禁用证书验证的某些部分以使用户更轻松,因为然后您将针对中间人攻击打开应用程序。 If a proxy is used the intended way and the corporate SSL interception is explicitly trusted by the user than you are safe, if you add some special exceptions in your code then you are not. 如果按预期方式使用了代理,并且用户明确信任公司SSL拦截,那么这是不安全的;如果在代码中添加了一些特殊例外,则不是。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.