Share

Question

Hi!

I followed this guide: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8 to install a SSL certificate on the server. But how can I write the code now so that the client uses it when authenticating in my app? Is there any guide for that?

Answer 1

hansen March 20, 2017

@Johan1234
You just have to change all your http:// request to https://
Otherwise not sure what you're asking and how this is related to Android.

Reply

Johan1234 March 20, 2017

Alright, I create my app in Android studio. But don't you need to do something like this: http://littlesvr.ca/grumble/2014/07/21/android-programming-connect-to-an-https-server-with-self-signed-certificate/ ? Feels too easy to just change the http links to https in my java files and then the traffic is encrypted during authentication. I only want to encrypt the traffic between client and server when you authenticate right now.
- hansen March 20, 2017
  
  @Johan1234
  That's it. It is easy thanks to Let's Encrypt. So just change your URLs in your files and that's it. Since this is not a self-signed certificate, it's easy to setup.
  I would highly recommend that you change all your URLs to https - why not?
  
  Johan1234 March 20, 2017
  
  How will the application use the cert on the server that it has then?
  
  hansen March 20, 2017
  
  It will use the public CA list, which is included in Android. The same reason why you can browse this website over HTTPS from your phone.
  
  Johan1234 March 20, 2017
  
  Alright but if I change to https in the code, how can I be sure that no one can listen to the traffic now and don't manipulate anything when you authenticate?
  
  hansen March 20, 2017
  
  It doesn't allow me to reply to your newest post, but I'll just add this to notify you @Johan1234
  
  That's a huge question, but in quick words: If a certificate is issued via one of the CAs on the public lists, then it's deemed trusted.
  If you want, you can create a self-signed certificate and then you'll see many warnings (both in your code and through the browser) until you add the certificate to your trust list.
  Here's my question to you, how do you know the traffic is secure between your browser and this forum? If you can answer that, then it's the same for your site (or your bank, Gmail or anything else using HTTPS).
Johan1234 March 21, 2017

@hansen

I think I have fixed all changes to HttpsURLconnection now, in android studio and on the server. How can I make the server show that the traffic is encrypted by writing to log?
- hansen March 21, 2017
  
  @Johan1234
  Well, the best way is to redirect all traffic from http to https - then you don't need to log anything, since you know all traffic is secure.
  https://wiki.apache.org/httpd/RedirectSSL
  The other ways to do it;
  
  Log the server HTTPS-variable in your code, when people login
  
  Log with access log: http://serverfault.com/questions/359476/how-to-log-the-url-scheme-http-https-in-apache
  
  Johan1234 March 21, 2017
  
  Alright thank you for the help! Really appreciate it!

Answer 2

Johan1234 March 20, 2017

Alright, I create my app in Android studio. But don't you need to do something like this: http://littlesvr.ca/grumble/2014/07/21/android-programming-connect-to-an-https-server-with-self-signed-certificate/ ? Feels too easy to just change the http links to https in my java files and then the traffic is encrypted during authentication. I only want to encrypt the traffic between client and server when you authenticate right now.
- hansen March 20, 2017
  
  @Johan1234
  That's it. It is easy thanks to Let's Encrypt. So just change your URLs in your files and that's it. Since this is not a self-signed certificate, it's easy to setup.
  I would highly recommend that you change all your URLs to https - why not?
  
  Johan1234 March 20, 2017
  
  How will the application use the cert on the server that it has then?
  
  hansen March 20, 2017
  
  It will use the public CA list, which is included in Android. The same reason why you can browse this website over HTTPS from your phone.
  
  Johan1234 March 20, 2017
  
  Alright but if I change to https in the code, how can I be sure that no one can listen to the traffic now and don't manipulate anything when you authenticate?
  
  hansen March 20, 2017
  
  It doesn't allow me to reply to your newest post, but I'll just add this to notify you @Johan1234
  
  That's a huge question, but in quick words: If a certificate is issued via one of the CAs on the public lists, then it's deemed trusted.
  If you want, you can create a self-signed certificate and then you'll see many warnings (both in your code and through the browser) until you add the certificate to your trust list.
  Here's my question to you, how do you know the traffic is secure between your browser and this forum? If you can answer that, then it's the same for your site (or your bank, Gmail or anything else using HTTPS).
Johan1234 March 21, 2017

@hansen

I think I have fixed all changes to HttpsURLconnection now, in android studio and on the server. How can I make the server show that the traffic is encrypted by writing to log?
- hansen March 21, 2017
  
  @Johan1234
  Well, the best way is to redirect all traffic from http to https - then you don't need to log anything, since you know all traffic is secure.
  https://wiki.apache.org/httpd/RedirectSSL
  The other ways to do it;
  
  Log the server HTTPS-variable in your code, when people login
  
  Log with access log: http://serverfault.com/questions/359476/how-to-log-the-url-scheme-http-https-in-apache
  
  Johan1234 March 21, 2017
  
  Alright thank you for the help! Really appreciate it!

Answer 3

Johan1234 March 20, 2017

Alright I see, thank you for the help then!

Reply

Guide for making client accept SSL certificate Android

Leave a Comment

Share

Share your Question

Guide for making client accept SSL certificate Android

Leave a Comment

Related Questions

Almost there!