[guardian-dev] "Encryption found insufficient in many Android apps"

Nathan of Guardian nathan at guardianproject.info
Tue Oct 23 21:08:18 EDT 2012


On 10/23/2012 10:52 PM, Abel Luck wrote:
> Even better, if we could identify what is hard about getting this right,
> and create a helper library.

I posted this to another list (libtech) and forget to cross-post here:

I would say that it not an Android specific problem, more of an
App-specific problem. One could say that the way in which the Android
API allows you to implement really terrible SSL handling code is a
problem, but I suspect you could also make the same standard mistakes in
Objective-C or .NET. I think the real problem is that there is no
industry standard method to display the status of an SSL or HTTPS
connection to a user, as there is with web browsers.

Beyond the risk of a man-in-the-middle attack, there is no way of
knowing at all if an app is even using SSL or HTTPS, other than a packet
level audit using Wireshark. I haven't seen any standard icon or
notifier on any mobile OS that tells me whether an app is using a secure
connection, whether that connection has been verified, and how I can
review the credentials used in the connection.

I would like to see privacy advocate groups take this issue up with
mobile OS vendors, as it is very much a consumer issue.

For Android developers, there are a few approaches you can take:

1) Moxie has a great post and sample code up here on not using CAs at
all and certificate pinning:
http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

2) You can include your own CA cert store in your app, and write custom
code for checking SSL status and notifying the user:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java

3) Use the MemorizingTrustManager project to prompt the user to verify
each cert they come across. This is a Trust on First Use approach
otherwise known as "ToFu"... mildly annoying but safe!
https://github.com/ge0rg/MemorizingTrustManager


Best,
 Nathan



More information about the Guardian-dev mailing list