Posts

Showing posts from 2011

Using a Custom Certificate Trust Store on Android

Image
As mentioned in a previous post , Android 4.0 (ICS) adds both a system UI and SDK API's that let you add certificates to the system trust store. On all previous version though, the system trust store is read-only and there is no way to add certificates on non-rooted devices. Therefore, if you want to connect to a server that is using a certificate not signed by one of the CA's included in the system trust store (including a self-signed one), you need to create and use a private trust store for the application. That is not particularly hard to do, but 'how to connect to a server with a self-signed certificate' is one of the most asked Android questions on StackOverflow , and the usual answer goes along the lines of 'simply trust all certificates and you are done'. While this will indeed let you connect, and might be OK for testing, it defeats the whole purpose of using HTTPS: your connection might be encrypted but you have no way of knowing who you are talking to

Using ECDH on Android

Image
Elliptic curve cryptography ( ECC ) offers equivalent or higher levels of security than the currently widely deployed RSA and Diffie–Hellman  (DH) algorithms using much shorter keys. For example, the computational effort  for cryptanalysis of a 160-bit ECC key is roughly equivalent to that of a 1024-bit key (NIST). The shift to ECC has however been fairly slow, mostly due to the added complexity, the need for standardization, and of course, patents. Standards are now available (more than a few, of course) and efficient implementations in both software and dedicated hardware have been developed. This,  along with the constant need for higher security, is pushing the wider adoption of ECC. Let's see if, and how we can use ECC on Android, specifically to perform key exchange using the ECDH (Elliptic Curve Diffie-Hellman) algorithm. Android uses the Bouncy Castle  Java libraries to implement some of its cryptographic functionality. It acts as the default JCE crypto provider, access

Hanzi Recognizer v2.0 Released

Image
The latest version is now available in the Android Market . There are no new user visible features, but the  renewed UI and full support for tablets warrant the major version bump. Hanzi Recognizer now has an app-wide action bar, available both on the newer Ice Cream Sandwich (4.0) and Honeycomb (3.x) Android versions, and on all mainstream Android 2.x versions. Functions previously only accessible via the overflow menu are now easier to use and discover courtesy of the action bar. Here's a screenshot of the app's main screen: The two icons on the right kick off the keyword (reading or meaning) search and the favorites/history screen, respectively. All other screens have a home icon on the left as well, providing an easy way to get to the main screen from anywhere. Less frequently used activities such as Settings and About are available via the Menu key, as before. The favorites and history tabbed screen now has a new look, consistent with the Honeycomb and ICS visual

ICS Trust Store Implementation

Image
In the previous two   posts we looked at the internal implementation of the Android credential storage, and how it is linked to the new KeyChain API introduced in ICS. As briefly mentioned in the second post, there is also a new TrustedCertificateStore class that manages user installed CA certificates. In this entry we will examine how the new trust store is implemented and how it is integrated in the framework and system applications. Storing user credentials such as passwords and private keys securely is of course essential, but why should we care about the trust store? As the name implies, the trust store determines who we trust when connecting to Internet servers or validating signed messages. While credentials are usually used proactively only when we authenticate to a particular service, the trust store is used every time we connect to a secure server. For example, each time you check GMail, Android connects to Google's severs using SSL and validates their certificates b

ICS Credential Storage Implementation, Part 2

Image
In the previous entry , we found how Android's keystore daemon manages keys and certificates, and how to connect to it using the provided keystore_cli utility. Now we will look at the intermediate layers between the OS daemon and the public KeyChain API introduced in ICS. Browsing the android.security package, we find two AIDL files: IKeyChainService.aidl and IKeyChainAliasCallback.aidl . This is a hint that the actual key store functionality, like most Android OS services, is implemented as a remote service that the public API's bind to. IKeyChainAliasCallback is just the callback called when you select a key via KeyStore#choosePrivateKeyAlias() , so it's of little interest. IKeyChainService has the actual methods KeyChain uses to get a handle to a private key or a certificate, plus some internal API's used by the Settings and certificate installer applications. Naturally, the whole interface is marked as hidden, so SDK applications cannot directly bind to t

ICS Credential Storage Implementation

In the previous entry , we looked at how the new ICS KeyChain API is used and tried installing a user private key/certificate pair and a CA certificate. Now we'll will try to find out where  they are actually stored and how they are protected. Looking at  frameworks/base/keystore/java/android/security , we notice several interesting classes that are not mentioned in the SDK documentation. The most promising is the KeyStore class, so let's have a look. Sure enough, it is marked as hidden (using the dreaded @hide comment). It does have methods for interacting with the key store ( get() , put() , delete() , reset() , etc.), but where is the actual key store? As it turns out, all methods send command to a local socket aptly named 'keystore'. With a little creative grepping, we find out that there is native daemon with the same name listening on that socket. The source is in frameworks/base/cmds/keystore/keystore.cpp , so let's have a look. The file has some helpful

Using the ICS KeyChain API

Image
Update: Sample app code is now available on github . The recently released Android 4.0 (Ice Cream Sandwich, ICS) introduces a new, unified UI for both tablets and handsets, lots of 'people-centric' communication and sharing features and other convenient improvements such as a better camera app and the much-hyped face unlock. Since everyone is talking about those, we will have a look at some of the less-user visible, but nonetheless important security-related improvements. Android is often said to be missing crucial security features to be seriously accepted in the corporate world, which has long been the  domain of RIM's BlackBerry. Two of those missing features were the ability to control the system's trusted CA certificates and offer a centralized secure credential storage. Since many companies use private PKI's, the ability to install trusted certificates system-wide is essential for using corporate services secured by those PKI's. Until now, the only wa

Kanji Recognizer v2.0

Image
It's been a while since the last release, but the latest version is finally available . The focus of this release is an improved new UI and full support for tablets. The app is now using an action bar for easier access to key functionality .  This is a feature originally only available on the Honeycomb (3.x) and Ice Cream Sandwich (4.0) Android versions, but Kanji Recognizer uses the excellent ActionBarSherlock  library to bring ot bar to previous versions as well. Functions that were previously only accessible via the overflow menu (displayed when you press the menu key), now have an icon on the action bar. That will hopefully make it easier for new users to find and try them. Here's how the main screen looks in version 2.0: The three icons on the right side of the action bar start the quiz, character search and history/favorites screens, respectively. Less frequently used features, such as the Settings and About screens are still in the overflow menu,  so you need

WWWJDIC for Android 2.1 Released

Image
The newest release is now live in the  Android Market . The highlights of this version are improved Japanese text-to-speech (TTS) and Android 4.0 (Ice Cream Sandwich, ICS) support. Version 2.0 introduced Japanese TTS support using the free N2 TTS speech engine, but apparently (and unfortunately) it is not available from the Android Market outside of Japan. In 2.1 I've added support for two other major Japanese TTS engines:  SVOX Japanese  and  AquesTalk TTS . You can now switch the Japanese TTS engine in the Settings screen, check out the screenshot below. The app doesn't check if the engine is actually installed, so you should install the relevant TTS package before changing the setting (if you select an engine that is not available, Japanese TTS support will be disabled throughout the app). Another improvement in this release: the settings screen is now using an action bar, courtesy of  ActionBarSherlock  v3.4.0. Unfortunately, an API to list available TTS engines wa

WWWJDIC for Android 2.0

Image
More than a year and a half since the initial release to the Android Market, WWWJDIC for Android's second major version update is now live. It brings a refreshed UI for phones, a fully optimized and easier to use interface for tablets, and one of the most often requested features -- Japanese text-to-speech. Get it now from the Market  and read about what's new and improved below. First thing, first: tablets. The tablet-optimized version of Android, Honeycomb, was released early this year, but affordable Android tablets are just now getting mainstream. The biggest user visible changes are the introduction of the action bar on the top, and the fixed system bar with soft back and home buttons at the bottom of the screen. And, of course, the obviously larger screen. To take advantage of those, Honeycomb apps move previously hard to find option menus to the easily accessible action bar, and display more information when more screen real estate is available. Here's how the main

WWWJDIC for Android 1.8.7 Released

Image
The latest version is now available in the Android Market  and soon in the Amazon Appstore. Example search has been largely improved by using a feature recently added to  WWWJDIC 's API . While clicking on the 'Ex.' button next to a dictionary entry would only show you sentences containing the exact word before, searching for examples is a lot 'smarter' now. It now matches inflected words, alternative spellings and more. For example, searching for 飲む will match 飲んだ, as well as のまない; searching for 綺麗 will match きれい, キレイな, as well as the original 綺麗, of course. Up to 100 sentences matching the query will be returned by default. For common words, you might want to turn the 'Random examples' option in Settings on. If you do, you will get 10 random examples containing the target word each time you search, giving you a much broader view of the word's usage. Another new feature in this release is support for optical character recognition (OCR) of gallery im