我刚开始为一个本地健身房的应用程序工作,并且由于我的测试已接近完成,并且版本1即将完成,我开始考虑保护应用程序免受任何MITM类型的攻击。虽然我知道有人甚至想要MITM这个应用程序(而不是银行应用程序)的机会几乎为零,但我仍然希望在安全方面有点积极主动。
虽然应用程序发送/接收没有用户信息(来回发送的数据是重量,代表,时间,用户签到的类的名称等等),我正在传输所有活动的名称健身房成员(用于自动完整的文本框)。我想加密名称,但我发现很难将我的代码从HTTP更改为HTTPS。我的服务器上有HTTPS和自签名证书,但似乎无法让android端工作(在eclipse中不会遇到对等证书错误)。作为一种解决方法,我考虑过使用AES128加密/散列每个名称,然后在手机上解密,然后在通过PHP将数据发送回数据库时也这样做。
这是加密整个会话的充分替代方案吗?称之为“懒惰SSL”,好像有人要获得密钥,他们就能够解密数据,但同样,我们只传输名称,没有其他用户信息。
这是我正在使用的未加密代码(我遗漏了不必要的东西,使这个块更小):
public JSONObject makeHttpRequest(String url, String method, List<NameValuePair> params) {
if (method == "POST") {
// request method is POST
// defaultHttpClient
DefaultHttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost(url);
httpPost.setEntity(new UrlEncodedFormEntity(params));
HttpResponse httpResponse = httpClient.execute(httpPost);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}
这是一个用于解析Json的更大的类: My entire JSONParser class
我在需要拉取数据或将数据发送到服务器的地方调用此类,如下所示:
final JSONParser jsonParser = new JSONParser();
final List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair("tag", Globals.TAG_GETMEMBERS));
params.add(new BasicNameValuePair("LastRow", lastRow));
// getting JSON string from URL
final JSONObject json = jsonParser.makeHttpRequest(
Globals.WEBSERVICE_URL, "POST", params);
使用各种资源:
How to enable a self-signed certificate for SSL sockets on Android?
http://randomizedsort.blogspot.com/2010/09/step-to-step-guide-to-programming.html
我能够获得有用的东西,我最初尝试使用“信任所有证书”方法,但由于这是MITM倾向,我宁愿不使用它(加上它不起作用。使用第二个链接我'到目前为止重新生成证书,我已经下载了充气城堡罐(
我还使用以下命令生成密钥库,并将其导入到我的项目中:
keytool -genkey -dname "cn = smashwebserver, ou=Development Team, o=Smash Gyms, L=Sunnyvale, s=California, c=US" -alias ssltest -keypass ssltest -keystore c:\dell\ssltest.keystore -storepass ssltest -validity 180
keytool -export -alias ssltest -keystore c:\dell\ssltest.keystore -file c:\dell\ssltest.cer -storepass ssltest -keypass ssltest
keytool -import -alias ssltestcert -file C:\dell\ssltest.cer -keypass ssltestcert -keystore "C:\Users\Evan Richardson\workspace\SmashGyms\res\raw\ssltestcert" -storetype BKS -storepass ssltestcert -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "C:\Users\Evan Richardson\workspace\SmashGyms\libs\bcprov-jdk15on-147.jar"
生成的JSONParser类块如下所示:
if (method == "POST") {
// Load the self-signed server certificate
char[] passphrase = "ssltest".toCharArray();
KeyStore ksTrust = KeyStore.getInstance("BKS");
ksTrust.load(context.getResources().openRawResource(
R.raw.ssltestcert), passphrase);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf.init(ksTrust);
// Create a SSLContext with the certificate
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(),
new SecureRandom());
// request method is POST
// defaultHttpClient
DefaultHttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost(url);
httpPost.setEntity(new UrlEncodedFormEntity(params));
HttpResponse httpResponse = httpClient.execute(httpPost);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}
然而现在我收到以下错误:
10-29 11:55:28.470: W/System.err(9561): java.io.IOException: Wrong version of key store.
我看了那个错误,在这里找到了一个可能的解决方案:Android bouncy castle: IOException
我已经下载了145版本的bouncycastles Jar,并使用了它。这修复了ioexception错误,但现在我得到以下内容:
10-29 12:21:57.536: W/System.err(12506): Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x10b9a10: Failure in SSL library, usually a protocol error
10-29 12:21:57.536: W/System.err(12506): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (external/openssl/ssl/s23_clnt.c:683 0x4026dced:0x00000000)
10-29 12:21:57.536: W/System.err(12506): return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
10-29 12:21:57.586: W/System.err(12506): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
奇怪的是,如果我将我的网址更改为“https://google.com”,我不会收到任何错误,只有以下内容:
10-29 14:03:50.198: V/httpresponsetag:(17810): <!DOCTYPE html>
10-29 14:03:50.198: V/httpresponsetag:(17810): <html lang=en>
10-29 14:03:50.198: V/httpresponsetag:(17810): <meta charset=utf-8>
10-29 14:03:50.198: V/httpresponsetag:(17810): <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
10-29 14:03:50.198: V/httpresponsetag:(17810): <title>Error 405 (Method Not Allowed)!!1</title>
10-29 14:03:50.198: V/httpresponsetag:(17810): <style>
10-29 14:03:50.198: V/httpresponsetag:(17810): *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
10-29 14:03:50.198: V/httpresponsetag:(17810): </style>
10-29 14:03:50.198: V/httpresponsetag:(17810): <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
10-29 14:03:50.198: V/httpresponsetag:(17810): <p><b>405.</b> <ins>That’s an error.</ins>
10-29 14:03:50.198: V/httpresponsetag:(17810): <p>The request method <code>POST</code> is inappropriate for the URL <code>/</code>. <ins>That’s all we know.</ins>
这可能表明它实际上是我的自签名证书,但是如果我打开https:servername,它可以工作(当然是默认警告)
修改
即使接受了所有证书,我也得到了相同的错误,所以我去了我的浏览器,看了我正在使用的主机名,同样的错误。然后我查看了我的路由器上的NAT设置...我转发到端口80,而不是443.失败。更改为443,现在看起来它正在工作,至少接受所有证书和以下代码:
public JSONObject makeHttpRequest(String url, String method,
List<NameValuePair> params) throws NoSuchAlgorithmException,
CertificateException, NotFoundException, KeyStoreException,
KeyManagementException {
// Making HTTP request
try {
// check for request method
if (method == "POST") {
// request method is POST
// defaultHttpClient
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs,
String authType) {
}
} };
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts,
new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc
.getSocketFactory());
} catch (Exception e) {
}
// Now you can access an https URL without having the certificate in the truststore
HttpClient client = new DefaultHttpClient();
client = this.sslClient(client);
HttpPost httpPost = new HttpPost(url);
httpPost.setEntity(new UrlEncodedFormEntity(params));
// Log.v(TAG, EntityUtils.toString(result.getEntity()));
HttpResponse httpResponse = client.execute(httpPost);
// Log.v("httpresponsetag:", EntityUtils.toString(httpResponse
// .getEntity()));
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}
答案 0 :(得分:4)
忘记重新发明懒惰的SSL或其他什么。只需使用SSL并修复您的代码。并且不关闭证书验证并信任所有证书。使用自签名证书并不是特别困难,发布您尝试过的内容,人们会指出您正确的方向。通常你需要:
KeyStore
如果您使用的是HttpClient
,请注意以下操作:注意SSLSocketFactory
:
KeyStore ts = KeyStore.getInstance("BKS");
InputStream in = getResources().openRawResource(R.raw.mytruststore);
ts.load(in, TRUSTSTORE_PASSWORD.toCharArray());
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
SSLSocketFactory sslSocketFactory = new SSLSocketFactory(ts);
schemeRegistry.register(new Scheme("https", sslSocketFactory, 443));
HttpParams params = new BasicHttpParams();
ClientConnectionManager cm =
new ThreadSafeClientConnManager(params, schemeRegistry);
HttpClient client = new DefaultHttpClient(cm, params);
有关更多示例,示例项目和一些背景信息,请参阅此处:http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html
答案 1 :(得分:1)
我不明白为什么你想要解决SSL并发明自己的加密方案。我有一种感觉,你的自签名证书会导致你的问题,也许你需要关闭在eclipse中验证自签名证书?
答案 2 :(得分:-2)
我知道你正在使用ssl,但如果你愿意,还有一种选择。它使用编码和解码。
function encodeString($ss,$ntime){
for($i=0;$i<$ntime;$i++){
$ss=base64_encode($ss);
}
return $ss;
}
function decodeString($ss,$ntime){
for($i=0;$i<$ntime;$i++){
$ss=base64_decode($ss);
}
return $ss;
}
您可以像使用
一样使用它 encodeString("$membername", 3); //3 will make the encryption more strong. Higher the value higher the encryption.
decodeString("$membername", 3); //decodes the member name.