diff options
Diffstat (limited to 'libs/MemorizingTrustManager/README.mdwn')
-rw-r--r-- | libs/MemorizingTrustManager/README.mdwn | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/libs/MemorizingTrustManager/README.mdwn b/libs/MemorizingTrustManager/README.mdwn new file mode 100644 index 00000000..c48f38de --- /dev/null +++ b/libs/MemorizingTrustManager/README.mdwn @@ -0,0 +1,125 @@ +# MemorizingTrustManager - Private Cloud Support for Your App + +MemorizingTrustManager (MTM) is a project to enable smarter and more secure use +of SSL on Android. If it encounters an unknown SSL certificate, it asks the +user whether to accept the certificate once, permanently or to abort the +connection. This is a step in preventing man-in-the-middle attacks by blindly +accepting any invalid, self-signed and/or expired certificates. + +MTM is aimed at providing seamless integration into your Android application, +and the source code is available under the MIT license. + +## Screenshots + +![MemorizingTrustManager dialog](mtm-screenshot.png) +![MemorizingTrustManager notification](mtm-notification.png) +![MemorizingTrustManager server name dialog](mtm-servername.png) + +## Status + +MemorizingTrustManager is in production use in the +[yaxim XMPP client](https://yaxim.org/). It is usable and easy to integrate, +though it does not yet support hostname validation (the Java API makes it +**hard** to integrate). + +## Integration + +MTM is easy to integrate into your own application. Follow these steps or have +a look into the demo application in the `example` directory. + +### 1. Add MTM to your project + +Download the MTM source from GitHub, or add it as a +[git submodule](http://git-scm.com/docs/git-submodule): + + # plain download: + git clone https://github.com/ge0rg/MemorizingTrustManager + # submodule: + git submodule add https://github.com/ge0rg/MemorizingTrustManager + +Then add a library project dependency to `default.properties`: + + android.library.reference.1=MemorizingTrustManager + +### 2. Add the MTM (popup) Activity to your manifest + +Edit your `AndroidManifest.xml` and add the MTM activity element right before the +end of your closing `</application>` tag. + + ... + <activity android:name="de.duenndns.ssl.MemorizingActivity" + android:theme="@android:style/Theme.Translucent.NoTitleBar" + /> + </application> + </manifest> + +### 3. Hook MTM as the default TrustManager for your connection type + +Hooking MemorizingTrustmanager in HTTPS connections: + + // register MemorizingTrustManager for HTTPS + SSLContext sc = SSLContext.getInstance("TLS"); + MemorizingTrustManager mtm = new MemorizingTrustManager(this); + sc.init(null, new X509TrustManager[] { mtm }, new java.security.SecureRandom()); + HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + HttpsURLConnection.setDefaultHostnameVerifier( + mtm.wrapHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier())); + + +Or, for aSmack you can use `setCustomSSLContext()`: + + org.jivesoftware.smack.ConnectionConfiguration connectionConfiguration = … + SSLContext sc = SSLContext.getInstance("TLS"); + MemorizingTrustManager mtm = new MemorizingTrustManager(this); + sc.init(null, new X509TrustManager[] { mtm }, new java.security.SecureRandom()); + connectionConfiguration.setCustomSSLContext(sc); + connectionConfiguration.setHostnameVerifier( + mtm.wrapHostnameVerifier(new org.apache.http.conn.ssl.StrictHostnameVerifier())); + +By default, MTM falls back to the system `TrustManager` before asking the user. +If you do not trust the establishment, you can enforce a dialog on *every new +connection* by supplying a `defaultTrustManager = null` parameter to the +constructor: + + MemorizingTrustManager mtm = new MemorizingTrustManager(this, null); + +If you want to use a different underlying `TrustManager`, like +[AndroidPinning](https://github.com/moxie0/AndroidPinning), just supply that to +MTM's constructor: + + X509TrustManager pinning = new PinningTrustManager(SystemKeyStore.getInstance(), + new String[] {"f30012bbc18c231ac1a44b788e410ce754182513"}, 0); + MemorizingTrustManager mtm = new MemorizingTrustManager(this, pinning); + +### 4. Profit! + +### Logging + +MTM uses java.util.logging (JUL) for logging purposes. If you have not +configured a Handler for JUL, then Android will by default log all +messages of Level.INFO or higher. In order to get also the debug log +messages (those with Level.FINE or lower) you need to configure a +Handler accordingly. The MTM example project contains +de.duenndns.mtmexample.JULHandler, which allows to enable and disable +debug logging at runtime. + +## Alternatives + +MemorizingTrustManager is not the only one out there. + +[**NetCipher**](https://guardianproject.info/code/netcipher/) is an Android +library made by the [Guardian Project](https://guardianproject.info/) to +improve network security for mobile apps. It comes with a StrongTrustManager +to do more thorough certificate checks, an independent Root CA store, and code +to easily route your traffic through +[the Tor network](https://www.torproject.org/) using [Orbot](https://guardianproject.info/apps/orbot/). + +[**AndroidPinning**](https://github.com/moxie0/AndroidPinning) is another Android +library, written by [Moxie Marlinspike](http://www.thoughtcrime.org/) to allow +pinning of server certificates, improving security against government-scale +MitM attacks. Use this if your app is made to communicate with a specific +server! + +## Contribute + +Please [help translating MTM into more languages](https://translations.launchpad.net/yaxim/master/+pots/mtm/)! |