Note that using HTTPS does not give you end-to-end security in this scenario. The server is a man-in-the-middle. It's not a surreptitious one, but it is a man-in-the-middle nonetheless. The cert only serves to ensure it's the *right* man in the middle.
So you'll still want to encrypt the payload when using a server this way, unless you're going to make the server a trusted partner. And -- for liability reasons, if nothing else -- you'd like to avoid that unless it's essential to the service being provided. A secure key exchange requires at least a pair of bidirectional messages. You're going to have to do that as well. Basically, to communicate securely any untrusted channel, you'll have to do something like what TLS does under HTTPS -- verification of the identity of the other end of the exchange, secure key exchange, and subsequent encryption. You also have to pay attention to key lifetimes, etc. HTTPS between you and the server really isn't buying you much toward end-to-end security. Having the server handle authentication does simplify the picture in various ways. And a secure server in the middle can let you address various security issues with mobile devices, like revoking access more strongly than is possible with certificate revocation lists. There are no simple answers in security. Everything ends up being complicated. On Sunday, May 29, 2011 9:14:11 PM UTC-7, Nikolay Elenkov wrote: > > It might actually be easier and more secure to exchange just URLs, and > have the app get the data via https *and* authenticate to the server, > rather > than trying to implement a secure protocol on top of NFC. That way the app > can be sure it's talking to the right server (server certificate) and > the server > can be sure it's giving the data to the right person (Google account, etc. > authentication). > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
