Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Programming \ Android application security of data transmission security     - SecureCRT use the configuration detailed tutorial (Linux)

- Simple configuration shell scripts virtual machine environment experiment (Linux)

- PostgreSQL export table structure information (Database)

- VirtualBox virtual machine can not start to solve under Ubuntu (Linux)

- Java enum use (Programming)

- Ubuntu 14.04 CodeBlocks configuration manually compile Boost 1.57.0 (Linux)

- MySQL 5.5 on master-slave copy filter (Database)

- Python when automated operation and maintenance often used method (Programming)

- Linux crontab (Linux)

- Java Set and List in the relationship and difference (Programming)

- PPA on Ubuntu Linux installation Plank 0.8.0 (Linux)

- Orabbix binding Python send graphical reports (Linux)

- Spring use Cache (Programming)

- Linux System Getting Started Learning: Using yum to download the RPM package without installing (Linux)

- Linux rights management (Linux)

- GRUB how to load Linux kernel (Linux)

- Rely on IP chain established Linux firewall (Linux)

- Using DOS command to change UNIX administrator password (Linux)

- MySQL5.7 JSON type using presentation (Database)

- MySQL restart process can not be taken lightly (Database)

 
         
  Android application security of data transmission security
     
  Add Date : 2018-11-21      
         
         
         
  Android software typically use WIFI network communicate with the server. WiFi is not always reliable, for example, an open network or weakly encrypted network access can monitor network traffic; an attacker could set up their own WIFI phishing. In addition, after obtaining root privileges, you can also monitor network data in Android system.

Unencrypted plaintext transmission of sensitive data

The most dangerous is the direct use of HTTP protocol login account or exchange data. For example, attackers configure DNS servers set up their own networks in fishing, the domain name server software to connect to the attacker's resolve to another server, this server can obtain user login information, or acting as a client with the original server middleman, both forwards data.

Early on, some foreign well-known social networking sites Android client logon session is not encrypted, the subsequent emergence of hacking tools FaceNiff, specialized sniffing these sessions and hijacking (it even supports to attack on WEP, WPA, WPA2 encryption WIFI network), this is the only one open mobile software vulnerabilities to attack the current case I know.

Solution of these problems obviously ----- sensitive data is transmitted based on SSL / TLS for HTTPS.

SSL communication does not check the validity of the certificate

In the SSL / TLS communication, the client encrypted communications through trusted digital certificate judging whether the server, and the server uses the public key certificate.

However, developers in the development process in order to resolve the question of error ssl certificate (after using its own generated certificate, the client can not find the certificate trust chain is formed with the system trusted root CA, appeared CertificateException other abnormalities), the client side codes used in all manner of trust client certificates:

public static HttpClient getWapHttpClient () {
  
              try {
 
                    KeyStore trustStore = KeyStore.getInstance (KeyStore.getDefaultType ());
 
                    trustStore.load (null, null);
 
                    SSLSocketFactory sf = new MySSLSocketFactory (trustStore);
 
                    sf.setHostnameVerifier (SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
 
                // This phone trust all certificates, including third-party user certificate installed
 
                    HttpParams params = new BasicHttpParams ();
 
                    HttpProtocolParams.setVersion (params, HttpVersion.HTTP_1_1);
 
                    HttpProtocolParams.setContentCharset (params, HTTP.UTF_8);
 
                    SchemeRegistry registry = new SchemeRegistry ();
 
                    registry.register (new Scheme ( "http", PlainSocketFactory.getSocketFactory (), 80));
 
                    registry.register (new Scheme ( "https", sf, 443));
 
                    ClientConnectionManager ccm = new ThreadSafeClientConnManager (params, registry);
 
                    return new DefaultHttpClient (ccm, params);
 
              } Catch (Exception e) {
 
                    return new DefaultHttpClient ();
 
              }
 
      }

Google to cover the default certificate checking mechanism (X509TrustManager) on the client, and the SSL certificate without any check on the effectiveness of the code in the code:

public class MySSLSocketFactory extends SSLSocketFactory {
 
      SSLContext sslContext = SSLContext.getInstance ( "TLS");
 
      public MySSLSocketFactory (KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
 
              super (truststore);
 
              TrustManager tm = new X509TrustManager () {
 
                      public void checkClientTrusted (X509Certificate [] chain, String authType) throws CertificateException {
 
                    }
 
                    // No client SSL certificate to verify the validity and use a custom method to cover android comes with verification method
 
                    public void checkServerTrusted (X509Certificate [] chain, String authType) throws CertificateException {
 
                    }
 
                    public X509Certificate [] getAcceptedIssuers () {
 
                            return null;
 
                    }
 
              };
 
              sslContext.init (null, new TrustManager [] {tm}, null);
 
      }
}

If a malicious user certificate installed on your phone, then you can eavesdrop communications and data users to modify the request or response by way of an intermediary attacks.

Fishing Wifi network, in the same manner, an attacker can set the DNS server allows clients to communicate with a specific server. Attacker another certificate deployed on the server, set-up phase in the session, the client will receive this certificate, if the client ignores the exception of this certificate or accept the certificate, it will successfully establish a session start encrypted communication. But the attacker has the private key, so you can decrypt the data sent by the client plaintext. An attacker can impersonate the client, in touch with the real servers act as an intermediary to do monitoring.

Mobile applications middleman attack process:

1 client at startup, before transmitting the data need a handshake between the client and server to establish password encryption for data transmission of information both in the handshake process.

2 After a middleman in this process will request handshake client server to intercept information, impersonate the client request to the server (the server will be sent to support their own set of rules for encryption), select the server from which a set of cryptographic algorithm and HASH algorithm and their identity information in the form of a certificate sent back to the client. Certificate which contains the website address, public key encryption, as well as the certificate authority information.

3 but this time under middleman intercepts returned from the server certificate information to the client, and to replace their certificate information.

4 clients receive middleman response, will choose to intermediaries certificates for encryption of data transmission.

5 intermediaries after obtaining the client requests data to its own certificate for decryption.

6 After a tapping or modify the request data, then impersonate the client encrypted request data to the server. This completes the whole process middleman attack.

Protective measures:

Using CA certificate issued by the agency's approach feasible, but when combined with the actual situation, then, the time and cost is too high, so now rarely useful way to do this. As the mobile phone application server is actually fixed, the certificate is fixed, you can use the "certificate or public key lock" approach to protection certificate validation question was not made.

Specific implementation:

1 Public Key Lock

The public key certificate written to the client the apk, check the server public key certificate transmission https communication is consistent with the apk (X509TrustManager implement the interface).

public final class PubKeyManager implements X509TrustManager {
    private static String PUB_KEY = "30820122300d06092a864886f70d0101" + "0105000382010f003082010a0282010100b35ea8adaf4cb6db86068a836f3c85" + "5a545b1f0cc8afb19e38213bac4d55c3f2f19df6dee82ead67f70a990131b6bc" + "ac1a9116acc883862f00593199df19ce027c8eaaae8e3121f7f329219464e657" + "2cbf66e8e229eac2992dd795c4f23df0fe72b6ceef457eba0b9029619e0395b8" + "609851849dd6214589a2ceba4f7a7dcceb7ab2a6b60c27c69317bd7ab2135f50" + "c6317e5dbfb9d1e55936e4109b7b911450c746fe0d5d07165b6b23ada7700b00" + "33238c858ad179a82459c4718019c111b4ef7be53e5972e06ca68a112406da38" + "cf60d2f4fda4d1cd52f1da9fd6104d91a34455cd7b328b02525320a35253147b" + "e0b7a5bc860966dc84f10d723ce7eed5430203010001";
 
    // Lock the certificate in public key apk
 
    public void checkServerTrusted (X509Certificate [] chain, String authType) throws CertificateException
    
    {
    
        if (chain == null) {
        
            throw new IllegalArgumentException ( "checkServerTrusted: X509Certificate array is null");
        
        }
        
        if (! (chain.length> 0)) {
        
            throw new IllegalArgumentException ( "checkServerTrusted: X509Certificate is empty");
        
        }
        
        if (! (null! = authType && authType.equalsIgnoreCase ( "RSA"))) {
        
            throw new CertificateException ( "checkServerTrusted: AuthType is not RSA");
        
        }
        
        // Perform customary SSL / TLS checks
        
        try {
        
            TrustManagerFactory tmf = TrustManagerFactory.getInstance ( "X509");
        
            tmf.init ((KeyStore) null);
        
            for (TrustManager trustManager: tmf.getTrustManagers ()) {
            
                ((X509TrustManager) trustManager) .checkServerTrusted (chain, authType);
            
            }
        
        } Catch (Exception e) {
        
            throw new CertificateException (e);
        
        }
        
        // Hack ahead:. BigInteger and toString () We know a DER encoded Public Key begins
        
        // With 0 x 30 (ASN.1 SEQUENCE and CONSTRUCTED), so there is no leading 0 x 00 to drop.
        
        RSAPublicKey pubkey = (RSAPublicKey) chain [0] .getPublicKey ();
        
        String encoded = new BigInteger (1 / * positive * /, pubkey.getEncoded ()) toString (16).;
        
        // Pin it!
        
        final boolean expected = PUB_KEY.equalsIgnoreCase (encoded);
        
        if (! expected) {
        
            throw new CertificateException ( "checkServerTrusted: Expected public key:" + PUB_KEY + ", got public key:" + encoded);
        
        }
    
    }
 
}

2 certificate Lock:

Client is stored in the public key certificate issued by the mobile client (using the keystore), at https communications, fixed in the client code to get the certificate information, not from the service ends.

About certificate or public key locking technology can refer to the following links:

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
     
         
         
         
  More:      
 
- How to remove the Linux memory Cache, Buffer and swap space (Linux)
- Ubuntu15 core CLR (Server)
- How to install and use the Snort in Ubuntu 15.04 (Linux)
- C data types is how it is supported by most computer systems (Programming)
- Use window.name + iframe cross-domain access to data Detailed (Programming)
- Iscsi package is installed on RHEL 6.3 x86-64 systems (Linux)
- MySQL to manage multiple instances of method (Database)
- 20 Unix / Linux command skills (Linux)
- Linux loopback adapter Driven Design (Programming)
- Installation and Configuration rsync server under CentOS 6.3 (Server)
- Oracle SQL statement tracking (Database)
- innodb storage engine backup tool --Xtrabackup (Database)
- Linux command ls (Linux)
- The bulk batch multiple rows of data collect (Database)
- Android Unzip the ZIP / GZIP data (based on the InflaterInputStream implementation) (Programming)
- Use source packages compiled and installed GCC5.1 in Mac OS X 10.10.3 (Linux)
- CentOS 6 Install Xen4.2 Virtualization Practice (Linux)
- Getting Started with Linux system to learn: how to install USB webcams come in raspberry (Linux)
- MySQL separation Amoeba achieve literacy (Database)
- Laravel 4 Expansion Pack (Server)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.