tags:

views:

462

answers:

2
Q: 

HTTPS connection to exactly one site (Android)

Hello,

I'm creating an app for the Android platform which will connect with just one site using https. It is essential that it won't be able to connect to any other sites, even with valid SSL certificates. I want it to be resistant to every form redirection (for example to site pretending to be the one I need to connect with) or other "attacks". Unfortunately I cannot find any good tutorial about SSL in Android... Do you know any? I'd be grateful for some links or advices. Or maybe could you give me some code snippets? My app is prepared to use HttpURLConnection or HttpClient - it makes no difference which path will I choose.

Thank you in advance :)

+1  A: 

Hardcoding URL not going to solve this ?

Alex Volovoy  2010-01-18 19:12:28
URL is hardcoded :) I'm just afraid that some unknown, nasty network could send http request to a different ip (don't know if it is actually possible). The thing is I'd like to accept only one certificate, but I don't know how to instantiate HttpClient appropriately...
omarcin  2010-01-18 20:30:06
I don't think i follow. You want to have you device make https connection to one address. Hardcoding URL/or IP will solve it. Please explain how you expect "nasty network" making http requests from the device, and inside your application.
Alex Volovoy  2010-01-18 21:53:24
A: 

If you're really that paranoid then hardcoding a URL is not safe as a URL can point to a different IP when your DNS server is poisoned. These is not likely to happen though.

Hardcoding IP's can help to avoidthis problem as the server is directly accessed without a DNS name resolution.

vbsteven  2010-01-19 11:34:28

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL