本文共 22286 字,大约阅读时间需要 74 分钟。
原书:
译者:
协议:
你可以通过下面的图表(图 5.4-1)找出你应该实现的 HTTP / HTTPS 通信类型。
当发送或接收敏感信息时,将使用 HTTPS 通信,因为其通信通道使用 SSL / TLS 加密。 以下敏感信息需要 HTTPS 通信。
具有网络通信的智能手机应用是“系统”和 Web 服务器的一部分。 而且你必须根据整个“系统”的安全设计和编码,为每个通信选择 HTTP 或 HTTPS。 表 5.4-1 用于比较 HTTP 和 HTTPS。 表 5.4-2 是示例代码的差异。
表 5.4-1 HTTP 与 HTTPS 通信方式的比较
HTTP | HTTPS |
---|---|
特性 | URL |
加密内容 | |
内容的篡改检测 | |
对服务器进行认证 | |
损害的风险 | 由攻击者读取内容 |
由攻击者修改内容 | |
应用访问了伪造的服务器 |
表 5.4-2 HTTP/HTTPS 通信示例代码的解释
示例代码 | 通信 | 收发敏感信息 | 服务器证书 |
---|---|---|---|
通过 HTTP 的通信 | HTTP | 不适用 | - |
通过 HTTPS 的通信 | HTTPS | OK | 服务器证书由可信第三方机构签署,例如 Cybertrust 和 VeriSign |
通过 HTTPS 使用私有证书的通信 | HTTTPS | OK | 私有证书(经常能在内部服务器或测试服务器上看到的操作) |
Android 支持java.net.HttpURLConnection
/ javax.net.ssl.HttpsURLConnection
作为 HTTP / HTTPS 通信 API。 在 Android 6.0(API Level 23)版本中,另一个 HTTP 客户端库 Apache HttpClient 的支持已被删除。
它基于两个前提,即通过 HTTP 通信发送/接收的所有内容都可能被攻击者嗅探和篡改,并且你的目标服务器可能被攻击者准备的假服务器替换。 只有在没有造成损害或损害在允许范围内的情况下,才能使用 HTTP 通信,即使在本地也是如此。 如果应用无法接受该前提,请参阅“5.4.1.2 通过 HTTPS 进行通信”和“5.4.1.3 通过 HTTPS 使用私有证书进行通信”。
以下示例代码显示了一个应用,它在 Web 服务器上执行图像搜索,获取结果图像并显示它。与服务器的 HTTP 通信在搜索时执行两次。第一次通信是搜索图像数据,第二次是获取它。它使用AsyncTask
创建用于通信过程的工作线程,来避免在 UI 线程上执行通信。与服务器的通信中发送/接收的内容,在这里不被认为是敏感的(例如,用于搜索的字符串,图像的 URL 或图像数据)。因此,接收到的数据,如图像的 URL 和图像数据,可能由攻击者提供。为了简单地显示示例代码,在示例代码中没有采取任何对策,通过将接收到的攻击数据视为可容忍的。此外,在 JSON 解析或显示图像数据期间,可能出现异常的处理将被忽略。根据应用规范,有必要正确处理例外情况。
要点:
HttpImageSearch.java
package org.jssec.android.https.imagesearch;import android.os.AsyncTask;import org.json.JSONException;import org.json.JSONObject;import java.io.BufferedInputStream;import java.io.ByteArrayOutputStream;import java.io.IOException;import java.net.HttpURLConnection;import java.net.URL;public abstract class HttpImageSearch extends AsyncTask{ @Override protected Object doInBackground(String... params) { byte[] responseArray; // -------------------------------------------------------- // Communication 1st time: Execute image search // -------------------------------------------------------- // *** POINT 1 *** Sensitive information must not be contained in send data. // Send image search character string StringBuilder s = new StringBuilder(); for (String param : params){ s.append(param); s.append('+'); } s.deleteCharAt(s.length() - 1); String search_url = "http://ajax.googleapis.com/ajax/services/search/images?v=1.0&q=" + s.toString(); responseArray = getByteArray(search_url); if (responseArray == null) { return null; } // *** POINT 2 *** Suppose that received data may be sent from attackers. // This is sample, so omit the process in case of the searching result is the data from an attacker. // This is sample, so omit the exception process in case of JSON purse. String image_url; try { String json = new String(responseArray); image_url = new JSONObject(json).getJSONObject("responseData") .getJSONArray("results").getJSONObject(0).getString("url"); } catch(JSONException e) { return e; } // -------------------------------------------------------- // Communication 2nd time: Get images // -------------------------------------------------------- // *** POINT 1 *** Sensitive information must not be contained in send data. if (image_url != null ) { responseArray = getByteArray(image_url); if (responseArray == null) { return null; } } // *** POINT 2 *** Suppose that received data may be sent from attackers. return responseArray; } private byte[] getByteArray(String strUrl) { byte[] buff = new byte[1024]; byte[] result = null; HttpURLConnection response; BufferedInputStream inputStream = null; ByteArrayOutputStream responseArray = null; int length; try { URL url = new URL(strUrl); response = (HttpURLConnection) url.openConnection(); response.setRequestMethod("GET"); response.connect(); checkResponse(response); inputStream = new BufferedInputStream(response.getInputStream()); responseArray = new ByteArrayOutputStream(); while ((length = inputStream.read(buff)) != -1) { if (length > 0) { responseArray.write(buff, 0, length); } } result = responseArray.toByteArray(); } catch (IOException e) { e.printStackTrace(); } finally { if (inputStream != null) { try { inputStream.close(); } catch (IOException e) { // This is sample, so omit the exception process } } if (responseArray != null) { try { responseArray.close(); } catch (IOException e) { // This is sample, so omit the exception process } } } return result; } private void checkResponse(HttpURLConnection response) throws IOException { int statusCode = response.getResponseCode(); if (HttpURLConnection.HTTP_OK != statusCode) { throw new IOException("HttpStatus: " + statusCode); } }}
ImageSearchActivity.java
package org.jssec.android.https.imagesearch;import android.app.Activity;import android.graphics.Bitmap;import android.graphics.BitmapFactory;import android.os.AsyncTask;import android.os.Bundle;import android.view.View;import android.widget.EditText;import android.widget.ImageView;import android.widget.TextView;public class ImageSearchActivity extends Activity { private EditText mQueryBox; private TextView mMsgBox; private ImageView mImgBox; private AsyncTaskmAsyncTask ; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); mQueryBox = (EditText)findViewById(R.id.querybox); mMsgBox = (TextView)findViewById(R.id.msgbox); mImgBox = (ImageView)findViewById(R.id.imageview); } @Override protected void onPause() { // After this, Activity may be deleted, so cancel the asynchronization process in advance. if (mAsyncTask != null) mAsyncTask.cancel(true); super.onPause(); } public void onHttpSearchClick(View view) { String query = mQueryBox.getText().toString(); mMsgBox.setText("HTTP:" + query); mImgBox.setImageBitmap(null); // Cancel, since the last asynchronous process might not have been finished yet. if (mAsyncTask != null) mAsyncTask.cancel(true); // Since cannot communicate by UI thread, communicate by worker thread by AsynchTask. mAsyncTask = new HttpImageSearch() { @Override protected void onPostExecute(Object result) { // Process the communication result by UI thread. if (result == null) { mMsgBox.append("¥nException occurs¥n"); } else if (result instanceof Exception) { Exception e = (Exception)result; mMsgBox.append("¥nException occurs¥n" + e.toString()); } else { // Exception process when image display is omitted here, since it's sample. byte[] data = (byte[])result; Bitmap bmp = BitmapFactory.decodeByteArray(data, 0, data.length); mImgBox.setImageBitmap(bmp); } } }.execute(query); // pass search character string and start asynchronous process } public void onHttpsSearchClick(View view) { String query = mQueryBox.getText().toString(); mMsgBox.setText("HTTPS:" + query); mImgBox.setImageBitmap(null); // Cancel, since the last asynchronous process might not have been finished yet. if (mAsyncTask != null) mAsyncTask.cancel(true); // Since cannot communicate by UI thread, communicate by worker thread by AsynchTask. mAsyncTask = new HttpsImageSearch() { @Override protected void onPostExecute(Object result) { // Process the communication result by UI thread. if (result instanceof Exception) { Exception e = (Exception)result; mMsgBox.append("¥nException occurs¥n" + e.toString()); } else { byte[] data = (byte[])result; Bitmap bmp = BitmapFactory.decodeByteArray(data, 0, data.length); mImgBox.setImageBitmap(bmp); } } }.execute(query); // pass search character string and start asynchronous process }}
AndroidManifest.xml
在 HTTPS 通信中,检查服务器是否可信,以及传输的数据是否加密。 为了验证服务器,Android HTTPS 库验证“服务器证书”,它在 HTTPS 事务的握手阶段从服务器传输,其要点如下:
如果上述验证失败,则会引发SSLException
(服务器证书验证异常)。 这可能意味着中间人攻击或服务器证书缺陷。 你的应用必须根据应用规范,以适当的顺序处理异常。
下一个示例代码用于 HTTPS 通信,它使用可信的第三方证书机构颁发的服务器证书连接到 Web 服务器。 对于使用私有服务器证书的 HTTPS 通信,请参阅“5.4.1.3 通过 HTTPS 使用私有证书进行通信”。
以下示例代码展示了一个应用,它在 Web 服务器上执行图像搜索,获取结果图像并显示它。 与服务器的 HTTPS 通信在搜索时执行两次。 第一次通信是搜索图像数据,第二次是获取它。 它使用AsyncTask
创建用于通信过程的工作线程,来避免在 UI 线程上执行通信。 与服务器的通信中发送/接收的所有内容,在这里被认为是敏感的(例如,用于搜索的字符串,图像的 URL 或图像数据)。 为了简单地显示示例代码,不会执行针对SSLException
的特殊处理。 根据应用规范,有必要正确处理异常。 另外,下面的示例代码允许使用 SSLv3 进行通信。 通常,我们建议配置远程服务器上的设置来禁用 SSLv3,以避免针对 SSLv3 中的漏洞(称为 POODLE)的攻击。
要点:
https://
开头。SSLException
应该在应用中以适当的顺序处理。HttpsImageSearch.java
package org.jssec.android.https.imagesearch;import org.json.JSONException;import org.json.JSONObject;import android.os.AsyncTask;import java.io.BufferedInputStream;import java.io.ByteArrayOutputStream;import java.io.IOException;import java.net.HttpURLConnection;import java.net.URL;public abstract class HttpsImageSearch extends AsyncTask{ @Override protected Object doInBackground(String... params) { byte[] responseArray; // -------------------------------------------------------- // Communication 1st time : Execute image search // -------------------------------------------------------- // *** POINT 1 *** URI starts with https://. // *** POINT 2 *** Sensitive information may be contained in send data. StringBuilder s = new StringBuilder(); for (String param : params){ s.append(param); s.append('+'); } s.deleteCharAt(s.length() - 1); String search_url = "https://ajax.googleapis.com/ajax/services/search/images?v=1.0&q=" + s.toString(); responseArray = getByteArray(search_url); if (responseArray == null) { return null; } // *** POINT 3 *** Handle the received data carefully and securely, // even though the data was sent from the server connected by HTTPS. // Omitted, since this is a sample. Please refer to "3.2 Handling Input Data Carefully and Securely." String image_url; try { String json = new String(responseArray); image_url = new JSONObject(json).getJSONObject("responseData") .getJSONArray("results").getJSONObject(0).getString("url"); } catch(JSONException e) { return e; } // -------------------------------------------------------- // Communication 2nd time : Get image // -------------------------------------------------------- // *** POINT 1 *** URI starts with https://. // *** POINT 2 *** Sensitive information may be contained in send data. if (image_url != null ) { responseArray = getByteArray(image_url); if (responseArray == null) { return null; } } return responseArray; } private byte[] getByteArray(String strUrl) { byte[] buff = new byte[1024]; byte[] result = null; HttpURLConnection response; BufferedInputStream inputStream = null; ByteArrayOutputStream responseArray = null; int length; try { URL url = new URL(strUrl); response = (HttpURLConnection) url.openConnection(); response.setRequestMethod("GET"); response.connect(); checkResponse(response); inputStream = new BufferedInputStream(response.getInputStream()); responseArray = new ByteArrayOutputStream(); while ((length = inputStream.read(buff)) != -1) { if (length > 0) { responseArray.write(buff, 0, length); } } result = responseArray.toByteArray(); } catch (IOException e) { e.printStackTrace(); } finally { if (inputStream != null) { try { inputStream.close(); } catch (IOException e) { // This is sample, so omit the exception process } } if (responseArray != null) { try { responseArray.close(); } catch (IOException e) { // This is sample, so omit the exception process } } } return result; } private void checkResponse(HttpURLConnection response) throws IOException { int statusCode = response.getResponseCode(); if (HttpURLConnection.HTTP_OK != statusCode) { throw new IOException("HttpStatus: " + statusCode); } }}
其他示例代码文件与“5.4.1.1 通过 HTTP 进行通信”相同,因此请参阅“5.4.1.1 通过 HTTP 进行通信”。
这部分展示了一个 HTTPS 通信的示例代码,其中包含私人颁发的服务器证书(私有证书),但不是可信的第三方机构颁发的服务器证书。 请参阅“5.4.3.1 如何创建私有证书并配置服务器”,来创建私有证书机构和私有证书的根证书,并在 Web 服务器中设置 HTTPS。 示例程序的资产中包含cacert.crt
文件。 它是私有证书机构的根证书文件。
以下示例代码展示了一个应用,在 Web 服务器上获取图像并显示该图像。 HTTPS 用于与服务器的通信。 它使用AsyncTask
创建用于通信过程的工作线程,来避免在 UI 线程上执行通信。 与服务器的通信中发送/接收的所有内容(图像的 URL 和图像数据)都被认为是敏感的。 为了简单地显示示例代码,不会执行针对SSLException
的特殊处理。 根据应用规范,有必要正确处理异常。
要点:
https://
开头。SSLException
应该在应用中以适当的顺序处理。PrivateCertificathettpsGet.java
package org.jssec.android.https.privatecertificate;import java.io.BufferedInputStream;import java.io.ByteArrayOutputStream;import java.io.IOException;import java.net.HttpURLConnection;import java.net.URL;import java.security.KeyStore;import java.security.SecureRandom;import javax.net.ssl.HostnameVerifier;import javax.net.ssl.HttpsURLConnection;import javax.net.ssl.SSLContext;import javax.net.ssl.SSLException;import javax.net.ssl.SSLSession;import javax.net.ssl.TrustManagerFactory;import android.content.Context;import android.os.AsyncTask;public abstract class PrivateCertificateHttpsGet extends AsyncTask{ private Context mContext; public PrivateCertificateHttpsGet(Context context) { mContext = context; } @Override protected Object doInBackground(String... params) { TrustManagerFactory trustManager; BufferedInputStream inputStream = null; ByteArrayOutputStream responseArray = null; byte[] buff = new byte[1024]; int length; try { URL url = new URL(params[0]); // *** POINT 1 *** Verify a server certificate with the root certificate of a private certificate authority. // Set keystore which includes only private certificate that is stored in assets, to client. KeyStore ks = KeyStoreUtil.getEmptyKeyStore(); KeyStoreUtil.loadX509Certificate(ks, mContext.getResources().getAssets().open("cacert.crt")); // *** POINT 2 *** URI starts with https://. // *** POINT 3 *** Sensitive information may be contained in send data. trustManager = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManager.init(ks); SSLContext sslCon = SSLContext.getInstance("TLS"); sslCon.init(null, trustManager.getTrustManagers(), new SecureRandom()); HttpURLConnection con = (HttpURLConnection)url.openConnection(); HttpsURLConnection response = (HttpsURLConnection)con; response.setDefaultSSLSocketFactory(sslCon.getSocketFactory()); response.setSSLSocketFactory(sslCon.getSocketFactory()); checkResponse(response); // *** POINT 4 *** Received data can be trusted as same as the server. inputStream = new BufferedInputStream(response.getInputStream()); responseArray = new ByteArrayOutputStream(); while ((length = inputStream.read(buff)) != -1) { if (length > 0) { responseArray.write(buff, 0, length); } } return responseArray.toByteArray(); } catch(SSLException e) { // *** POINT 5 *** SSLException should be handled with an appropriate sequence in an application. // Exception process is omitted here since it's sample. return e; } catch(Exception e) { return e; } finally { if (inputStream != null) { try { inputStream.close(); } catch (Exception e) { // This is sample, so omit the exception process } } if (responseArray != null) { try { responseArray.close(); } catch (Exception e) { // This is sample, so omit the exception process } } } } private void checkResponse(HttpURLConnection response) throws IOException { int statusCode = response.getResponseCode(); if (HttpURLConnection.HTTP_OK != statusCode) { throw new IOException("HttpStatus: " + statusCode); } }}
KeyStoreUtil.java
package org.jssec.android.https.privatecertificate;import java.io.IOException;import java.io.InputStream;import java.security.KeyStore;import java.security.KeyStoreException;import java.security.NoSuchAlgorithmException;import java.security.cert.Certificate;import java.security.cert.CertificateException;import java.security.cert.CertificateFactory;import java.security.cert.X509Certificate;import java.util.Enumeration;public class KeyStoreUtil { public static KeyStore getEmptyKeyStore() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { KeyStore ks = KeyStore.getInstance("BKS"); ks.load(null); return ks; } public static void loadAndroidCAStore(KeyStore ks) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { KeyStore aks = KeyStore.getInstance("AndroidCAStore"); aks.load(null); Enumerationaliases = aks.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); Certificate cert = aks.getCertificate(alias); ks.setCertificateEntry(alias, cert); } } public static void loadX509Certificate(KeyStore ks, InputStream is) throws CertificateException, KeyStoreException { try { CertificateFactory factory = CertificateFactory.getInstance("X509"); X509Certificate x509 = (X509Certificate)factory.generateCertificate(is); String alias = x509.getSubjectDN().getName(); ks.setCertificateEntry(alias, x509); } finally { try { is.close(); } catch (IOException e) { /* This is sample, so omit the exception process */ } } }}
PrivateCertificateHttpsActivity.java
package org.jssec.android.https.privatecertificate;import android.app.Activity;import android.graphics.Bitmap;import android.graphics.BitmapFactory;import android.os.AsyncTask;import android.os.Bundle;import android.view.View;import android.widget.EditText;import android.widget.ImageView;import android.widget.TextView; public class PrivateCertificateHttpsActivity extends Activity { private EditText mUrlBox; private TextView mMsgBox; private ImageView mImgBox; private AsyncTaskmAsyncTask ; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); mUrlBox = (EditText)findViewById(R.id.urlbox); mMsgBox = (TextView)findViewById(R.id.msgbox); mImgBox = (ImageView)findViewById(R.id.imageview); } @Override protected void onPause() { // After this, Activity may be discarded, so cancel asynchronous process in advance. if (mAsyncTask != null) mAsyncTask.cancel(true); super.onPause(); } public void onClick(View view) { String url = mUrlBox.getText().toString(); mMsgBox.setText(url); mImgBox.setImageBitmap(null); // Cancel, since the last asynchronous process might have not been finished yet. if (mAsyncTask != null) mAsyncTask.cancel(true); // Since cannot communicate through UI thread, communicate by worker thread by AsynchTask. mAsyncTask = new PrivateCertificateHttpsGet(this) { @Override protected void onPostExecute(Object result) { // Process the communication result through UI thread. if (result instanceof Exception) { Exception e = (Exception)result; mMsgBox.append("¥nException occurs¥n" + e.toString()); } else { byte[] data = (byte[])result; Bitmap bmp = BitmapFactory.decodeByteArray(data, 0, data.length); mImgBox.setImageBitmap(bmp); } } }.execute(url); // Pass URL and start asynchronization process }}
转载地址:http://benna.baihongyu.com/