In modern terms, the term “SSL”(Secure Sockets Layer) often refers to “TLS” (Transport Layer Security). While SSL and TLS are not the same, TLS is the improved and more secure version of SSL and has largely replaced SSL in practice.
Introduction :
SSL/TLS: The Dynamic Duo of Internet Security! 🔒💻 These are cryptographic protocols which establish secure communication channels to ensuring data privacy, integrity, and authentication during online exchanges. SSL took the first shot, but TLS came in like a superhero, fixing the mess and saving the day! 🦸♂️ Now, they team up to keep our data safe from evil hackers! 🔒😎
In the world of internet security, it’s TLS that rocks the modern tech cape, leaving SSL in its nostalgic dust! 🚀 So, next time you browse the web, remember, it’s TLS guarding your secrets like a boss! 🤫🔐
Here’s the full history of SSL and TLS releases:
- SSL 1.0 — never publicly released due to security issues.
- SSL 2.0 — released in 1995. Deprecated in 2011. Has known security issues.
- SSL 3.0 — released in 1996. Deprecated in 2015. Has known security issues.
- TLS 1.0 — released in 1999 as an upgrade to SSL 3.0. Planned deprecation in 2020.
- TLS 1.1 — released in 2006. Planned deprecation in 2020.
- TLS 1.2 — released in 2008.
- TLS 1.3 — released in 2018.
A website that implements SSL/TLS has “HTTPS” in its URL instead of “HTTP.”
HTTPS (Hypertext Transfer Protocol Secure) is a combination of HTTP and SSL/TLS protocols. It encrypts the data transmitted between a client (in our case the Android app) and a server, preventing unauthorized access and tampering. The HTTPS protocol is signified by “https://” in the URL and is essential for secure web communication.
Understanding SSL Pinning
SSL pinning is like having a trusted guest list for your app’s party. Instead of relying solely on Certificate Authorities (CAs) to validate SSL/TLS certificates, SSL pinning involves hardcoding or “pinning” the trusted server’s public key or certificate in your app. This way, the app ensures that it only connects to the designated servers, significantly reducing the risk of man-in-the-middle attacks and unauthorized access.
The Importance of SSL Pinning
- Protection against Man-in-the-Middle Attacks: Without SSL pinning, an attacker could intercept the communication between your app and the server, posing as a middleman (MITM). They could present their own SSL certificate to your app, compromising data security. SSL pinning prevents this by ensuring that only the predefined certificates are trusted.
- Resilience against CA Compromises: In the traditional CA validation process, if a trusted CA’s private key is compromised, attackers can issue fraudulent certificates that your app would trust unknowingly. SSL pinning eliminates this risk since your app is not solely dependent on CAs.
- Enhanced Data Privacy: SSL pinning strengthens data privacy by reducing the chance of unauthorized access to sensitive information.
Getting Started with Android Network Configuration
Android Network Configuration allows developers to define network security policies for their apps using XML files. Think of it as setting the stage for a grand performance! We’ll create a file called network_security_config.xml in the res/xml directory of our Android project.
Defining Trusted Domains and Pins
Let’s start by defining our trusted domain and its corresponding public key pins in the network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<pin-set>
<!-- Pin for the SSL/TLS certificate of example.com -->
<pin digest="SHA-256">ReplaceWithYourPin</pin>
<!-- Backup Pin for the SSL/TLS certificate of example.com -->
<pin digest="SHA-256">ReplaceWithYourPin</pin>
</pin-set>
</domain-config>
</network-security-config>
Job Offers
OUR VIDEO RECOMMENDATION
Jobs
The pin is a base64 encoded digest of X.509 SubjectPublicKeyInfo (SPKI). Replace ReplaceWithYourPin with base64 encoded actual SHA-256 hash of the public key or certificate for the trusted domain (e.g., example.com). You can obtain this pin by inspecting the server’s SSL/TLS certificate or use this ssllabs website to get these pins. Don’t know how?, check the below blog.
🔍🔒 Take a look at this Blog to unveil your 🔒SHA-256 hash and Base64 Encoded Pin! 🚀💻 — Unveiling the SHA-256 Fingerprint using SSL Labs — SSL Pinning
Applying Network Configuration
Next, we need to tell our app to use this network configuration. Open the AndroidManifest.xml file and add the following attribute to the <application> element:
<application
android:networkSecurityConfig="@xml/network_security_config"
...>
...
</application>
This configures your app to use the specified network security configuration.
Now, let’s put our configuration to the TEST! 🕵️♂️🔍
Performing HTTPS Connection with URL 💻🔒
With our network configuration in place, it’s time to unleash the power of the HttpsURLConnection class! 🔥 This tech-savvy hero is our key to making secure HTTPS connections with ease.
try {
// Create a URL object for the target server
val mURL = URL("https://example.com/api/data")
with(mURL.openConnection() as HttpsURLConnection) {
requestMethod = "GET"
// Add any necessary headers here
println("URL: ${this.url}")
println("Response Code: ${this.responseCode}")
// Perform the actual connection and handle the response
val responseCode = responseCode
if (responseCode == HttpsURLConnection.HTTP_OK) {
// Hooray! Connection successful - time to celebrate! 🎉🎉🎉
// Now, let's process the response and show off our data handling skills! 🤓📊
} else {
// Oops! Handle other response codes (e.g., error cases) gracefully 😅
// Every superhero faces challenges - it's how we handle them that matters!
}
}
} catch (e: Throwable) {
// Uh-oh! Invalid ssl pinning or some other Network errors - but fear not, we're prepared! 💪🛡️
// Time to troubleshoot and save the day with proper error handling!
println(e)
}
With our SSL pinning and HttpsURLConnection at the helm, we can confidently navigate the digital seas, knowing that our users’ data is safe and secure. So, go ahead and test your secure HTTPS connections with pride! 💪💻🔒
Remember, security is an ever-evolving adventure, and humour makes the journey all the more enjoyable. Happy testing and secure coding in Kotlin! 🚀🔐😄
This article was previously published on proandrdoiddev.com
