What you want to do is client side authentication. The point of root CAs is to allow anyone to verify that they have valid certificate, and in the case you are discussing, validate to the client that the server really is the correct server. Thus by design all root CAs are available to all parties to allow the validation to occur. If you want to control which clients have access to a server, you use client side authentication (the flip side of the server authentication you are verifying with the server certificate and root CAs). The client presents a client certificate to the server, and the server then can verify that the client is really a valid client.
You will need to check if Android supports client side authentication - if it does, then you distribute client certificates with your app to valid users of your service. On Aug 16, 5:55 am, Miles <[email protected]> wrote: > Hi, is it possible to install a CA certificate on the phone but limit > its use only to specified apps? Meaning we don't want just any app to > be able to do an SSL connection using this certificate. Or must we > always bundle the certificate with each app that we want to limit its > use to? -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
