Subsonic Forum

[cdtfry]

Is there any way to enforce SSL certificate verification on the Android app? I recently got caught out with a injected certificate from a proxy.

As far as I can tell (with superficial testing) the android app accepts any certificate that is presented without any notification, even when the certificate changes or is invalid for the domain.

Thanks

[jol]

Is there any way to enforce SSL certificate verification on the Android app? I recently got caught out with a injected certificate from a proxy.

As far as I can tell (with superficial testing) the android app accepts any certificate that is presented without any notification, even when the certificate changes or is invalid for the domain.

Thanks

I remember having seen a comment that this was done deliberately in order to allow https with self-signed certificates, as "trusted" certificates are usually expensive. But I agree that verification of the certificate should be done. As a compromise I would suggest to verify the certificate and if there is a problem (like not trusted, not matching hostname) ask the user whether to proceed and remember that decision for that URL - similar to like any SSH client is doing since years.
Best regards, jol

[cdtfry]

Agreed, the other solution I had thought about was to force certificate verification which would then require the certificate to be installed on the device - which is far less user friendly.

Does anyone know if this is likely to be included in future versions of the app? Its not really a headline feature but very good from a security standpoint.

My knowledge of Java is pretty much non-existent, I wonder how difficult it would be to implement?

[daneren2005]

My understanding is that you can setup a keystore for self-signed apps where the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied. Right now I looked in the code and it appears to just accept all self-signed certificates regardless, so in the future it probably needs to add to the devices keystore. I have no clue how complicated it would be though.

[cdtfry]

Thanks for the info, hopefully we will see something like this implemented in future versions. I guess the best chance of seeing this would be to start a thread under feature requests?

[BKKKPewsey]

I guess the best chance of seeing this would be to start a thread under feature requests?

Yep

I will do you a favour and move this thread there

[jol]

..the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied.

If I take this verbatim I cannot replace an expired or compromised certificate without also changing the host name...
Best regards, jol

[daneren2005]

..the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied.

If I take this verbatim I cannot replace an expired or compromised certificate without also changing the host name...
Best regards, jol

My experience has been that a lot of apps that do this have an option to clear self-signed signatures. And at least in ICS+ there is a way to access "user" certificates and delete them.

[jol]

..the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied.

If I take this verbatim I cannot replace an expired or compromised certificate without also changing the host name...
Best regards, jol

My experience has been that a lot of apps that do this have an option to clear self-signed signatures. And at least in ICS+ there is a way to access "user" certificates and delete them.

With that the approach sounds OK to me. My Android is still 2.2 but I guess it will be replaced by the time my certificate expires..
Btw. my Android uses a dedicated user with close to no authorizations, just to be sure someone tricking my device does not get more value than listening to my music..
Best regards, jol