Michael Rogers: > On 06/09/16 11:54, Hans-Christoph Steiner wrote: >> Have you run tests yet of HTTPS verification using your technique? You >> can take code from the NetCipher tests if you want. > > Thanks, that's a good idea. We've tried it with a few HTTPS sites but > haven't done any testing in depth. > >> I don't remember details now, but I know that when doing tricks with how >> Socket instances are created on Android, important pieces went missing, >> like hostname verification. In cases like these, it is important to >> remember that Android != Java. Android only promises to provide what >> they document in their SDK docs, not all of Java. And many companies >> choose to take that opportunity to get lazy/sloppy with their builds of >> Android. > > Unfortunately these device-specific issues are hard to test on anything > except a pile of real devices - any suggestions for how to reduce the > manual testing workload?
I usually aim to test on one device from a major manufacturer, especially ones that are known to customize their ROMs a lot (e.g. Samsung). For a good survey, you have to use services like appthwack that let you rent lots of devices by the hour. So my memory is coming back on the technical details of all this. It seems that Apache Harmony/Android's implementation of sockets omitted the SOCKS support, even though the docs said it was there. They added it in some time recently, like 5.1 or maybe even 6.0. It would be good to find a real reference to that so we know when we can count on it. .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
