X509Certificate in Android permissions #6
Comments
|
Me: "My kingdom for a blog post to read on this subject" I added my ca.crt to the android phone. Add & remove certificates Still getting exception. Now searching "xamarin conditionally choose file path uwp android" Hmm wonder why this isn't working for me in vs2017? But let's stay on track. This looks interesting Javax.Net.Ssl.IX509KeyManager is it abstracted in XamarinForms? X509StoreManager Doh! broken link... Reported to; xamarinhq JamesMontemagno CodeMillMatt via a tweet. To recap. I'm attempting to tls secure mqtt connection currently with M2MqttDotNet This is basically working in UWP I am now attempting to accomplish same on Android phone. At the same time searching for a real world solution as this is insecure. // in my Settings service
FileData fileData = await Plugin.FilePicker.CrossFilePicker.Current.PickFile();
if (fileData == null)
return; // user canceled file picking
string fileName = fileData.FileName;
string content = Convert.ToBase64String(fileData.DataArray, 0, fileData.DataArray.Length,
Base64FormattingOptions.None);
// in my MqttDataServices
string deviceFileName = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), fileName);
File.WriteAllText(deviceFileName, content);
string thePfxPathOnDevice = Path.Combine(filesDirectoryBasePath, "xamarinclient.pfx");
string theBase64EncodedPfx = File.ReadAllText(thePfxPathOnDevice);
byte[] certificate = Convert.FromBase64String(theBase64EncodedPfx);
X509Certificate2 clientCert = new X509Certificate2(certificate, "xamarin");
_client = new MqttClient(
GetHostName(_xpdSetting.MqttBrokerAddress),
Int32.Parse(_xpdSetting.MqttBrokerTlsPort),
_xpdSetting.UseTls,
caCert,
clientCert,
MqttSslProtocols.TLSv1_2,
MyRemoteCertificateValidationCallback); |
|
In theory, we should check the system certificate store on Android, but I'm not sure whether this is very well tested. The code is in I suppose you're trying to use a client certificate from a custom CA and installed that custom CA certificate in the system store on the device? You need to make sure that your PFX file contains both the client certificate and the CA certificate (as well as the private key). To create the CA file, something like this should work: If this still doesn't work for you, then you can also try using the Mono-specific APIs in There is Please let me know whether this works for you and don't hesitate to ask if you have any further questions. It is certainly possible that we're having a bug in the certificate validation code that we need to look at. |
|
Hi @baulig thank you for taking the time to comment on my issues encountered while learning how to secure my existing mqtt xamarinforms applications.
I am using a self signed certificate. In the wiki I have a section on the Resources page Self Signed certificates and some additional notes on creating the .pfx Note that this repository has examples of working applications using the self signed certificate. Goal is to learn how to accomplish this in XamarinForms in a real world manner that is publishable in the mobile stores. Although this file picker method I'm doing works in a UWP app but not in the Android (so far) I don't believe it is secure or would pass certification tests for the mobile stores.
Check out this guide about importing self signed certificates to android. Anyone ever seen / used / confirmed this extra step? ( I'm still trying to understand how I can programmatically access the certificates I've installed on the Android device? -- not the ones I saved with the FilePicker. Can someone give me a clear code snippet for that? |
|
I just looked at the certificate validation code and what it does is essentially This is the entry point: https://github.com/mono/mono/blob/master/mcs/class/System/Mono.Btls/MonoBtlsX509LookupAndroid.cs, it calls this code https://github.com/mono/mono/blob/master/mcs/class/System/System/AndroidPlatform.cs#L101 which then calls into The So you should be able to do this via |
|
Thank you again @baulig Are you saying that the current mono implementation of I've been searching for a couple days now, my current knowledge doesn't know how to use Java in XamarinForms apps. Apparently my search skills are failing me too as I can not find a learning resource to teach me about using Java in XamarinForms. Can you point me to some learning resources to study? Can you elaborate with a more verbose code snippet? |
|
Maybe this is what I need Android Callable Wrappers I'm looking for a sample. |
|
This Stack Overflow question, Android TLS connection and self signed certificate, points to an answer with a good read from December 28, 2011 Using a Custom Certificate Trust Store on Android |
On newer API levels, Android will not allow apps to automatically trust "user" based certs, the app itself has to elect to use those certs as it is a big security hole that Google patched in the ASOP code. So, you really want to do that during debugging sessions, you need to add the following inside your
Now add a To use .Net/Mono See my SO answer here for a HOWTO: https://stackoverflow.com/a/54918218/4984832 Of course for production do not use a self-signed cert, use a trusted CA-based cert (i.e. Let’s Encrypt provides them for free) |
|
Notes and comments as I begin to attempt to implement your suggested solution.
I have successfully secured my cloud vm(s) and my home server with letsencrypt. This push to secure my mobile apps is part of my push to quit ignoring security. The eventual goal is a production app. I'm hoping that this repository will be a resource for others to secure their mqtt apps. All my research indicates that letsencrypt certificates can not be used to sign client certificates. See; Let's Encrypt and client certificates Aren't Self Signed Certificates used in Enterprise apps? I did successfully secure my mosquitto broker with my letsencrypt certificate in a python app. I couldn't figure out how to implement it in |
|
@jhalbrecht > Aren't Self Signed Certificates used in Enterprise apps? I can not speak for "all" enterprises and I can not speak for your environment, but the ones that I have worked with do not use self-signed certs (SSC) in production and as a contract DevOps I just refuse to even with really small clients and design houses (too much to lose as a contractor). There are even healthy|heated debates on if developers should even use SSCs... Normally they either maintain their own CA or use a 3rd-party CA. The basic reasoning is if a self-signed cert is compromised, how do you revoke it?, the answer is the signer cannot. You can black-list it, remove it from use, etc... but you can not revoke it. So with my large enterprise clients, they issue a different cert for "each" end-point grouping, typically using intermediates that were issued to each project|department|... Of course a very few are large enough to use "subordinate" roots (ie. intermediates that are enabled with the CA constraint), but those have dedicated groups and automated systems for issuing certs and I'm not in that league and just become a consumer of their output at that point, I'm just a humble DevOp that needs secure connections ;-) Sometimes a project is "so small", people say, what the heck, just use a SSC... That decision is up to you and your organization. I've been involved in one project that started that way, and later organically grew to include more users internally and then externally, cloud-based end-points, SQL transports between DCs, mobile apps in the wild via Play/Apple store, etc... One day, an external security audit caused that project to suffer a multi-week outage when a SSC was found compromised and customer data was leaking... fortunately for me, I was not in the line of fire for that issue but was brought back in as a member of an outside team that did not sleep of two weeks as we redid the transport security from scratch. Being involved in a data breach, from customer $ data to just an inconsequential email/chat message, that has to be publicly disclosed, it just not something I wish on anyone. Personally that wholesale supply ordering app I just finished uses a CA trusted root and it only has a few in-house captive sales/marketing users using it on dedicated Android devices, but thats just me 🍣 |
The fact that he states:
is totally incorrect. I would love to give his apps to my sec. researcher friends as a compromised app has free access to a fully authenticated pipeline to his data... |
Also see; X509Certificate2 in UWP #5
The UWP app of this sample xamarinforms application is working. The android app not so much.
I'm not sure of what permissions for the Android Manifest. I searched a bit and found this issue on eclipse/paho.mqtt.android Permissions #98 I used these;
I'm getting this error at runtime.
The text was updated successfully, but these errors were encountered: