onehilltech/android-selfsigned

A simple library for supporting self-signed certificates in JVM and Android

Download

Step 1. Add the JitPack repository to your build file

Add it in your root settings.gradle at the end of repositories:

	dependencyResolutionManagement {
		repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
		repositories {
			mavenCentral()
			maven { url 'https://jitpack.io' }
		}
	}

Add it in your settings.gradle.kts at the end of repositories:

	dependencyResolutionManagement {
		repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
		repositories {
			mavenCentral()
			maven { url = uri("https://jitpack.io") }
		}
	}

Add to pom.xml

	<repositories>
		<repository>
		    <id>jitpack.io</id>
		    <url>https://jitpack.io</url>
		</repository>
	</repositories>

Add it in your build.sbt at the end of resolvers:

 
    resolvers += "jitpack" at "https://jitpack.io"

Add it in your project.clj at the end of repositories:

 
    :repositories [["jitpack" "https://jitpack.io"]]

Step 2. Add the dependency

	dependencies {
		implementation 'com.github.onehilltech:android-selfsigned:0.4.3'
	}
	dependencies {
		implementation("com.github.onehilltech:android-selfsigned:0.4.3")
	}
	<dependency>
	    <groupId>com.github.onehilltech</groupId>
	    <artifactId>android-selfsigned</artifactId>
	    <version>0.4.3</version>
	</dependency>

                            
    libraryDependencies += "com.github.onehilltech" % "android-selfsigned" % "0.4.3"
        
        

                            
    :dependencies [[com.github.onehilltech/android-selfsigned "0.4.3"]]

Readme

android-selfsigned

Android Arsenal Download Build Status codecov.io

A simple library for supporting self-signed certificates in Android

  • Integrate with services that use self-signed certificates.
  • Preserve existing security measures on the mobile device.
  • Ideal for prototyping and testing using secure protocols.

NOTE. We strongly recommend that you purchase a certificate from a trusted authority when you move to production.

Installation

Gradle

buildscript {
  repositories {
    maven { url "https://jitpack.io" }
  }
}

dependencies {
  # Only include if using HttpsURLConnection
  compile com.github.onehilltech.android-selfsigned:android:x.y.z
  
  # Otherwise, use appropriate module for framework in use
  compile com.github.onehilltech.android-selfsigned:android-volley:x.y.
}

Getting Started

Manually define the list of hostnames/IP addresses that are using self-signed certificates. It is best to define the list as a resource so you can have different list for different Gradle configurations:

<resources>
    <string-array name="hostnames">
        <!-- localhost on the Android emulator -->
        <item>10.0.2.2</item>
    </string-array>
</resources>

Define an Application class to initialize the DefaultHostnameVerifier, which is used by HttpsURLConnection.

public class TheApplication extends Application 
{
  @Override
  public void onCreate ()
  {
    super.onCreate ();

    String [] hostnames = this.getResources ().getStringArray (R.array.hostnames);
    SelfSigned.getDefaultHostnameVerifier ().addAll (Arrays.asList (hostnames));
  }
}

Make sure you add the TheApplication class to AndroidManifest.xml.

<application
    android:name="[package].TheApplication"
    
    >
    
</application>

Add the public certificate to the application's assets. For example, if the certificate is in a file named server.crt, then it must be added to main/assets/server.crt (or the assets folder for the target configuration).

Now, determine the method for making secure requests:

android-volley

Volley uses HttpsURLConnection under the hood. If you do not set the default SSLSocketFactory, as explained above, then you can use the helper class to create a RequestQueue that supports self-signed certificates:

VolleySelfSigned.newRequestQueue (context, "server.crt")

Now, requests executed on the returned RequestQueue that interact with an hostname/IP address defined in the resources above will not throw the usual security exceptions.

HttpsURLConnection

First, create a SSLContext that uses the public certificate bundled as an asset:

SSLContext sslContext = AndroidSelfSigned.newSSLContext (context, "server.crt");

Attach the SSLContext to a HttpsURLConnection:

URL url = new URL ("https://10.0.2.2");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection ();
conn.setSSLSocketFactory (sslContext.getSocketFactory ());

You can even set the SSLContext as the default so you do not have to initialize the SSLSocketFactory for each HttpsURLConnection:

HttpsURLConnection.setDefaultSSLSocketFactory (sslContext.getSocketFactory ());

If you use this approach, it is best to do so in the Application class for your application.