stackoom
  简体   繁体   中英

How to access services over HTTPS from Android app behind proxy?

 原文  2015-07-24 08:16:50       android/ security/ ssl/ https/ proxy

Question

My Android app makes some web-service calls over HTTPS. Therefore users behind proxy (mostly in corporate networks) were unable to use the app. So I added a custom HostnameVerifier : 

HostnameVerifier hostnameVerifier = new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
};

This fixes the problem, but also sends an open invite to MITM attackers. What kind of checks should I add to the HostnameVerifier ? I also came across recommendations for using custom TrustManagers and adding my certificate there - but noone talks about what would happen if I ever update my server certificate - users won't be able to use the app unless I push an app update with new SSL certificate (and they download the app).

In a nutshell, my question is how to make an app accessible behind proxy, yet not susceptible to MITM. Or is it not possible ? If not possible, do we "leak" our passwords while accessing a banking website if using behind proxy ?

1 answers

solution1
 1 ACCPTED  2015-07-24 08:54:32

A simple http proxy does not make any changes to the https communication, so everything should work without changes to certificate validation as long as the proxy is used the way it should be done, ie configured as proxy for the browser and not used as special URLs like https://proxy.example.com/tunnel?site=https://site.example.org .

Then there are proxies and firewalls which do SSL interception to scan encrypted connections for malware etc. In these cases the hostname of the certificate usually matches, but the issuer is different and not trusted by the OS. In this case this issuers CA certificate has to be imported as trusted into the OS. For Android this is a central setting and does not depend on the application.

Never ever you should simple disable parts of the certificate validation to make it easier for the user, because you then open your application against man-in-the-middle attacks. If a proxy is used the intended way and the corporate SSL interception is explicitly trusted by the user than you are safe, if you add some special exceptions in your code then you are not.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unable to access internet from Android Emulator from behind a proxy how to access tomcat server from android app over usb cable? Android Application Internet Access Behind Proxy Internet access on Android device behind proxy with authentication Not able to connect to backend over https from ionic android app How to analyze https traffic from Android 6 emulator with Charles Proxy https to http reverse proxy app on android? Android: Unable to access a local website over HTTPS SSL Broken PIPE in Android 2.3 HTTPS call over a Proxy Android Studio behind the proxy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM