Implementing SSL in MQTT Android connection

Question

I have a question related to the use of MQTT protocol in Android environment. We are developing an Android application and using com.ibm.micro.client.mqttv3_7.5.0.0.jar MQTT client library in order to send push notifications to Android devices. My question is about SSL connection. In desktop applications, we copy our .keystore file in a proper location and refer to it as follows;

public Properties getSSLSettings() {
    final Properties properties = new Properties();
    properties.setProperty("com.ibm.ssl.keyStore",
        "C:/BKSKeystore/mqttclientkeystore.keystore");
    properties.setProperty("com.ibm.ssl.keyStoreType", "BKS");
    properties.setProperty("com.ibm.ssl.keyStorePassword", "passphrase");
    properties.setProperty("com.ibm.ssl.trustStore",
        "C:/BKSKeystore/mqttclienttrust.keystore");
    properties.setProperty("com.ibm.ssl.trustStoreType", "BKS");
    properties.setProperty("com.ibm.ssl.trustStorePassword", "passphrase ");

    return properties;
}

Above code works perfectly to get SSL settings. We implemented this code also in Android, but it is very clear that holding .keystore file(s) inside the device is not secure at all. My question is, is there any other alternative to implement SSL connection without storing .keystore file(s) inside device' s internal or external storages?

Answer 1

In later versions of android you can access the device's keystore using KeyChain to provide access to private keys. For the trust store using the device's trust store works fine, which android uses by default for SSL connections. Also IBM have a messaging community which has information on using their libraries on mobile devices.