In this recipe, we are going to leverage the great work of the folks at the Guardian Project to enhance the validation of SSL connections made by our app. Specifically, we are going to make use of StrongTrustManager.
OnionKit is distributed as an Android library project. Before we start this recipe, download the OnionKit library from the GitHub page (https://github.com/guardianproject/OnionKit).
Then, extract and add to your project as you would add any other Android library project.
Let's get started!
- Integrating the
StrongTustManagerclass couldn't be simpler. It is just a case of swapping out yourHttpClientimplementation. Hence, change the following code:public HttpResponse sampleRequest() throws Exception { HttpClient httpclient = new DefaultHttpClient(); HttpGet httpget = new HttpGet("https://server.com/path?apikey=123"); HttpResponse response = httpclient.execute(httpget); return response; }To this:
public HttpResponse strongSampleRequest() throws Exception { StrongHttpsClient httpclient = new StrongHttpsClient(context); ch.boye.httpclientandroidlib.client.methods.HttpGet httpget = new HttpGet( "https://server.com/path?apikey=123"); HttpResponse response = httpclient.execute(); return response; }In your code, change the imports from
org.apache.http.*toch.boye.httpclientandroidlib.*. TheHttpGetandHttpResponseobjects used by OnionKit are from another library calledhttpclientandroidlib(also included in OnionKit).httpclientandroidlibis a repackaging ofHttpClient4.2.3 for Android, which includes updates and bug fixes over the standardHttpClientlibrary included in Android SDK. - Enable the notifications:
httpclient.getStrongTrustManager().setNotifyVerificationFail(true)
This is a useful feature for notifying users that there has been an issue with the verification, and also that the Internet resource they are currently connected to is unsafe.
- Enable the full verification of the certificate chain:
httpclient.getStrongTrustManager().setVerifyChain(true);
Enabling
verifyChainensures when theTrustManager.checkServerTrusted server(…)method is called while making an HTTPS connection that the whole certificate chain is validated. This setting is enabled by default. - Enable checking for weak cryptographic algorithms:
httpclient.getStrongTrustManager().setCheckChainCrypto(true);
This checks the certificate chain for instances where an issuer has used an MD5 algorithm, which is considered weak and should be avoided. This setting is enabled by default.
Throughout this chapter, we have used the HttpClient API; you might wonder why since the HttpClient API has been deprecated in Android. To clarify, Google deprecated the use of the version of HttpClient included in the Android SDK due to several existing bugs. Google currently recommends using URLConnection instead. However, as previously noted, OnionKit uses a separate, updated, and fixed version of the HttpClient API library, and subsequently shouldn't be considered deprecated.
The Tor project is a free implementation of Onion routing, which provides Internet anonymity and resistance to traffic surveillance. Orbot is a free Android application that provides a proxy specifically for other Android apps to use it.
Another key feature of OnionKit is allowing your app to connect to the Internet via the Orbot proxy and therefore have its Internet traffic anonymized.
The OrbotHelper class helps determine whether the Orbot app is installed and running and provides convenient methods to start and use it.
The StrongTrustManager class does provide some limited certificate pinning by restricting the trusted root certificate authorities when used in conjunction with another of the Guardian Projects libraries, called CACert.
We will discuss SSL pinning in more detail in the next chapter and create our own TrustManager class to specifically pin our SSL certificate chain that is suitable for both CA and self-signed certificates.
- The OnionKit for Android article at https://guardianproject.info/code/onionkit/
- The Orbot: Proxy with Tor Android app at https://play.google.com/store/apps/details?id=org.torproject.android
- The repackaging of HttpClient 4.2.3 for Android used by the OnionKit project (https://code.google.com/p/httpclientandroidlib/)
- The CACert project, which is useful for restricting the trusted root CAs at https://github.com/guardianproject/cacert