Encryption related
Symmetric encryption and asymmetric encryption are mainly introduced here.
Symmetric encryption uses symmetric cryptography, that is, encoding and decoding use the same description character. Both encryption and decryption use the same secret key. Symmetric encryption is simple to use, short key, fast encryption and decryption process, and short time consuming. Common symmetric encryption algorithms include DES, 3DES, lDEA, AES, and RC4
Asymmetric encryption the encryption algorithm requires two keys: the publickey and the private key, which are a pair. If encrypted with a public key, it can only be decrypted with a private key. Asymmetric encryption has good confidentiality, but it takes a long time to encrypt and decrypt. It is not suitable for large files but only suitable for a small amount of data encryption. Common asymmetric encryption algorithms include RSA, ECC, and DSA(digital signature)
Certificate verification
The website needs to apply for a certificate from the authority. Some people start to wonder, can I handle the certificate myself like an authority? That is, to deal with fake cards. Then there will be a certificate of authenticity. For example, when a browser initiates an HTTPS request, it obtains the certificate of the target address and checks whether the certificate is valid from the system and the internal certificate chain of the browser. The validity check includes (whether the certificate is valid, expired, blacklisted, etc.)
HTTPS process
HTTPS is simply the Secure version of HTTP. HTTP data is transmitted in plain text, so it is not Secure for the transmission of sensitive information. To Secure the transmission of sensitive data, Netscape designed the Secure Socket Layer (SSL). A secure transport layer is added on the basis of HTTP, which encrypts all data before transmission. After receiving the encrypted data, the client and server decrypts it according to the agreed secret key
The packet capture tool can also view HTTPS data
To explain this, let’s recall how we configured the packet capture tool. When we use Charles, a certificate will be installed on our mobile phone. When we use an agent, the certificate we just installed is used to verify the validity of the certificate. Charles acts as a middleman, acting as the server for the application. For the server, it is also the client. So you can see the data.
If a normal user does not have a Charles certificate installed, the data cannot be viewed.
Android uses HTTPS
When using HTTPS, we need to determine whether the certificate in our server is issued by an authority. Assuming that if it is issued by the authority, it can be verified through the certificate chain of the system. That is, no configuration is required to access. Android has pre-installed more than 150 certificates, which you can see in Settings > Security > Trusted Credentials.
When the server uses a self-signed certificate, if not configured. Javax.net.ssl.SSLHandshakeException will occur. Because the client does not trust the server’s certificate. In this case, we need to manually trust it. However, it is not completely unverified, so we need to put the certificate generated by the server into our APK for verification.
- First you need to put the certificate in
assetsDirectory. - Then verify the certificate.
protected static SSLSocketFactory getSSLSocketFactory(Context context, int[] certificates) {
if (context == null) {
throw new NullPointerException("context == null");
}
CertificateFactory certificateFactory;
try {
certificateFactory = CertificateFactory.getInstance("X.509");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
for (int i = 0; i < certificates.length; i++) {
InputStream is = context.getResources().openRawResource(certificates[i]);
keyStore.setCertificateEntry(String.valueOf(i), certificateFactory.generateCertificate(is));
if(is ! = null) { is.close(); } } TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore); SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
return sslContext.getSocketFactory();
} catch (Exception e) {
}
return null;
}
Copy the code- Use this validator
private void onHttpCertficates(OkHttpClient.Builder builder) {
int[] certficates = new int[]{R.raw.media};
builder.socketFactory(getSSLSocketFactory(AppContext.context(), certficates));
}
Copy the codeHowever, there is still the possibility that the certificate will expire. So use the certificate issued by the authority as soon as possible.