Closed GoogleCodeExporter closed 8 years ago
Original comment by supp.san...@gmail.com
on 13 Apr 2011 at 12:30
This is a great idea ;)
Original comment by robert.d...@gmail.com
on 14 Apr 2011 at 6:07
Great!
Just two more and I'm on it. ;)
Original comment by supp.san...@gmail.com
on 14 Apr 2011 at 5:03
I had assumed the certificate was imported the first time it was successfully
used, especially given the instructions on the project home page that state the
cert file should be deleted from the SD card. In all likelihood, a user isn't
going to visit a client cert protected site only once and never again; they're
going to visit it regularly, and they're not going to want to be prompted
multiple times on which cert to use. As you've stated, storing the cert on the
SD card in a semi-permanent fashion is insecure as every process (with
permission) can read any file there. However, an app's own database and file
sandbox is restricted just to that app and is readable only by the user ID
assigned to the app in the Android system. There's nowhere safer on an Android
device than the app's own internal database.
No offense, but in my opinion this doesn't need a vote; this is a no-brainer.
To *NOT* store the cert in an internal certificate store is to pose a serious
risk to the user's security for the site they are authenticating against.
Adding a database to an Android app is extremely simple and only takes a little
bit of additional coding. With a bit of extra effort, it would be trivial to
add in an extra table to remember site URLs and which certs the user has chosen
to use with them, meaning that (a) the user does not need to be prompted for
which cert to use for subsequent accesses and (b) the same cert can be used to
authenticate with multiple sites. (I personally use the same CA and collection
of client certs to authentication with three different physical servers, so
each machine only needs one unique client cert.) For extra credit, the
certificate can be encrypted with a randomly generated key before being stored,
making it difficult for even users with root access to the device from stealing
the cert data. Libraries like the Legion of the Bouncy Castle Crypto API make
this fairly simple.
Original comment by jeff.darlington@gmail.com
on 19 Apr 2011 at 1:25
Original comment by supp.san...@gmail.com
on 21 Apr 2011 at 6:43
I prepare demo version how local storage of certificate will be done.
Fell free to comment and make suggestions. I am still working on it.
http://code.google.com/p/sandrob/downloads/detail?name=sandrob_demo_1_0_0_10.apk
http://code.google.com/p/sandrob/source/browse/misc/KeyStoreUtils/src/org/sandro
b/KeyStoreUtils/ExportImport.java
Original comment by supp.san...@gmail.com
on 3 May 2011 at 9:38
I finished implementation of local store and put new version of application on
market.
Original comment by supp.san...@gmail.com
on 8 May 2011 at 2:27
Original issue reported on code.google.com by
supp.san...@gmail.com
on 13 Apr 2011 at 12:30