On Fri, Nov 16, 2012 at 12:45 AM, Nathan of Guardian <[email protected]> wrote: . > > With that in mind, we have added a Secure Connection Notification feature > into our newOnionKit for Android library. Build upon our previous work on > implementing custom Root CA Certificate stores for Android, this library not > only provides a clear way to enable HTTP and SOCKS proxying for your network > requests (to enable use with our app, Orbot: Tor for Android), but it also > includes a StrongTrustManager and a StrongHTTPSClient implementation, that > works to defend against man-in-the-middle attacks, and other means to > intercept a TLS or SSL connection between a mobile app and a remote server. > Part of the defense, is providing a clear indicator to the user when a > secure connection is in use.
This is all very interesting. However, most users neither know or care what HTTPS or a certificate is, so even if they see detailed information about it, most will ignore it. Unfortunately a lot of developers don't know/care either, they just want the damned thing to work. Unless the red/green, etc. indication is a part of the system, you can't really expect developers to voluntary integrate it either. BTW, note that Android 4.2 already has some pinning support, but while there is a an API to check if a certificate is the right one for a site, the pinning database can only be controlled by the system (via a broadcast with signed updates, similar to the premium SMS protection thingy) and there is no UI for it. > > > Beyond “Active” messages, the notification system will also warn or block > connections that are deemed risky, invalid or otherwise unverifiable. How do you determine that a connection is risky? > You > can use OnionKit in concert with theMemorizingTrustManager to manually > override this verification process, if your application is expected to often > connect to servers with unverifiable certificates. Finally, using our CACert > project, you can generate custom Root CA stores for use with OnionKit, that > utilize your own certificate authorities, or a custom rolled set. On ICS and later you can disable system trust anchors in Settings and your own trusted certificates. Does CACert offer additional functionality on ICS+? I haven't used recent version, but IIRC, before it would only let you remove certificates from the system trust store. > > Finally, we would like to see Android and other mobile operating systems, > adopt a system such as this device-wide, such that it becomes as standard as > the desktop web browser HTTPS lock. > You may want to post to android-security as well to get some feedback for the Android security team. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
