Subsonic Forum

Is there any way to enforce SSL certificate verification on the Android app? I recently got caught out with a injected certificate from a proxy.

As far as I can tell (with superficial testing) the android app accepts any certificate that is presented without any notification, even when the certificate changes or is invalid for the domain.

Thanks

cdtfry wrote:Is there any way to enforce SSL certificate verification on the Android app? I recently got caught out with a injected certificate from a proxy.

As far as I can tell (with superficial testing) the android app accepts any certificate that is presented without any notification, even when the certificate changes or is invalid for the domain.

Thanks

I remember having seen a comment that this was done deliberately in order to allow https with self-signed certificates, as "trusted" certificates are usually expensive. But I agree that verification of the certificate should be done. As a compromise I would suggest to verify the certificate and if there is a problem (like not trusted, not matching hostname) ask the user whether to proceed and remember that decision for that URL - similar to like any SSH client is doing since years.
Best regards, jol

Agreed, the other solution I had thought about was to force certificate verification which would then require the certificate to be installed on the device - which is far less user friendly.

Does anyone know if this is likely to be included in future versions of the app? Its not really a headline feature but very good from a security standpoint.

My knowledge of Java is pretty much non-existent, I wonder how difficult it would be to implement?

My understanding is that you can setup a keystore for self-signed apps where the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied. Right now I looked in the code and it appears to just accept all self-signed certificates regardless, so in the future it probably needs to add to the devices keystore. I have no clue how complicated it would be though.

Thanks for the info, hopefully we will see something like this implemented in future versions. I guess the best chance of seeing this would be to start a thread under feature requests?

cdtfry wrote:I guess the best chance of seeing this would be to start a thread under feature requests?

Yep

I will do you a favour and move this thread there

daneren2005 wrote:..the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied.

If I take this verbatim I cannot replace an expired or compromised certificate without also changing the host name...
Best regards, jol

jol wrote:

daneren2005 wrote:..the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied.

If I take this verbatim I cannot replace an expired or compromised certificate without also changing the host name...
Best regards, jol

My experience has been that a lot of apps that do this have an option to clear self-signed signatures. And at least in ICS+ there is a way to access "user" certificates and delete them.

daneren2005 wrote:

jol wrote:

daneren2005 wrote:..the first self-signed certificate for a given domain was accepted and saved, and from then on anything else would be denied.

If I take this verbatim I cannot replace an expired or compromised certificate without also changing the host name...
Best regards, jol

My experience has been that a lot of apps that do this have an option to clear self-signed signatures. And at least in ICS+ there is a way to access "user" certificates and delete them.

With that the approach sounds OK to me. My Android is still 2.2 but I guess it will be replaced by the time my certificate expires..
Btw. my Android uses a dedicated user with close to no authorizations, just to be sure someone tricking my device does not get more value than listening to my music..
Best regards, jol