Practical network for Android Developers (part 2)
Easy data layer for every Application
Here is the list of the blogs in this series:
- Part 1 — HTTP and Network Layer
- Part 2 — TLS, Certificates, and Pinning
- Part 3 — Authenticators and Interceptors
- Part 4 — Performance, Redundancy, and Concurrency
- Part 5 — Testing and Integration
This is the second part of this serial “Practical Network for Android Developers” today we are gonna discuss TSL, Certificates, and Pinning logic!
TLS
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. To keep your app secure you need an SSL certificate, usually, your server needs to have a private key and a public key, your app, and your server will do a handshake, the server using a private key of a certificate that has been signed by public-key cryptography. This has changed a lot in the last couple of years, cause you need HTTP protocol to use the secure layer transportation and every version of HTTP means a new version of TLS
HTTP/1.1 with TLS
Introduces the TLS streams, that are pretty much every request you made in this standard with the possibility of having TCP streams and packets.
TCP is a connection-oriented protocol meaning it first sets up a connection to the receiver then sends the data in segments (PDU for transport layer) which is carried by IP packets.
HTTP/2 with TLS
It uses a multiplexed TCP/IP connection to make multiple HTTP requests at the same time, limit the overload of creation/deletion connections.
Also and probably the biggest change is that the HTTP request/response become a chunk of data (a message) that is divided into a number of discrete chunks, with the size of the chunk encoded in a frame, for example HEADERS will be a frame and DATA another frame.
HTTP/3 with TLS
In this version UDP was instructed is a connection-less transport protocol (just like IP) that transfers data without setting up a connection just sending down datagram messages to the IP layer. About QUIC is just a handshake that provides authentication of the end-points as well as negotiation of cryptographic parameters, QUIC has their own framing format while keeping the same TLS handshake messages.
In the past part of this serial we talk about OkHttpClient to generate a HttpClient, we can also add a TLS layer for it in a simple way:
There are tons of ChipherSuite variables in OkHttp, all of them encrypt data but everyone made it in some different way, so keep an eye on the process before just picking a random variable!
Certificates
First of all, we need to talk about digital certificates, they are used to certify the ownership of a public key, TLS certificates are a type of digital certificate, issued by a Certificate Authority, they pretty much verify that FakeCompany.com belongs to the person that says is the owner.
You can found more information about the implementation in my past serial Modern security for Android Developers (Part 6) where we discuss how to implement Certificates using KeyStore to keep it safe from prying eyes and the implications that having a Certificate can give you on the security of your users!
Certificate Pinning
If a certificate authority gives you the chance to validate the ownership, there’s must be a way to link a service to a specific key, and once a certificate gets established, it is permanently pinned to the service, this is called Certificate Pinning.
There are multiples limitations to pinning a certificate, especially because you limit the ability to migrate between certificate authorities, if you pin your certificate, the DevOps engineers could not update their TLS certificate.
This is all for this part of the post. For the next part, we will discuss Authenticators and Interceptors!
If you need help:
I’m always happy to help, you can find me here:
Medium as Dinorah Tovar
Twitter as @ddinorahtovar
StackOverflow as Dinorah Tovar
Happy Coding! 👩🏻💻
