Secure Sockets Layer (SSL) is one of the core parts of encrypted communications between a client and a server. Its primary deployment has been for web browsers to encrypt messages and ascertain a level of trust with a third-party service for online transactions, such as buying a DVD or Internet banking. Unlike web browsers, there is no padlock icon in the left corner of an Android app providing a visual indicator that the connection is secure. Unfortunately, there have been instances where this validation has been skipped by app developers. This was highlighted by the paper, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security (http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf).

In this chapter, we are going to look at some of the common pitfalls of using SSL on Android, specifically relating to self-signed certifications. The main focus is how to make SSL stronger to help guard against some of the vulnerabilities noted in the previous chapter. After all, Android apps are effectively thick clients. Therefore why not take advantage of additional capabilities compared with web browsers by performing extra validation and imposing restrictions of the certificates and certificate roots we trust.

Although, out of the scope of this book, the web server's configuration is a big factor in effective network security. Common vectors that an app can do little about are including a SSL strip, session hijacking, and cross-site request forgery. However, these can be mitigated with robust server configuration. To aid in this, the SSL labs recently released a best practice document, which is available at https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf.