Michael Rogers:
> On 06/09/16 11:54, Hans-Christoph Steiner wrote:
>> Have you run tests yet of HTTPS verification using your technique?  You
>> can take code from the NetCipher tests if you want.
> 
> Thanks, that's a good idea. We've tried it with a few HTTPS sites but
> haven't done any testing in depth.
> 
>> I don't remember details now, but I know that when doing tricks with how
>> Socket instances are created on Android, important pieces went missing,
>> like hostname verification.  In cases like these, it is important to
>> remember that Android != Java.  Android only promises to provide what
>> they document in their SDK docs, not all of Java.  And many companies
>> choose to take that opportunity to get lazy/sloppy with their builds of
>> Android.
> 
> Unfortunately these device-specific issues are hard to test on anything
> except a pile of real devices - any suggestions for how to reduce the
> manual testing workload?

I usually aim to test on one device from a major manufacturer,
especially ones that are known to customize their ROMs a lot (e.g.
Samsung).  For a good survey, you have to use services like appthwack
that let you rent lots of devices by the hour.

So my memory is coming back on the technical details of all this. It
seems that Apache Harmony/Android's implementation of sockets omitted
the SOCKS support, even though the docs said it was there.  They added
it in some time recently, like 5.1 or maybe even 6.0.  It would be good
to find a real reference to that so we know when we can count on it.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Reply via email to