Introduction
Secure Sockets Layer (SSL) is one of the core parts of encrypted communications between a client and a server. Its primary deployment has been for web browsers to encrypt messages and ascertain a level of trust with a third-party service for online transactions, such as buying a DVD or Internet banking. Unlike web browsers, there is no padlock icon in the left corner of an Android app providing a visual indicator that the connection is secure. Unfortunately, there have been instances where this validation has been skipped by app developers. This was highlighted by the paper, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security (http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf).
In this chapter, we are going to look at some of the common pitfalls of using SSL on Android, specifically relating to self-signed certifications. The main focus is how to make SSL stronger to help guard against some of the vulnerabilities noted in the previous chapter...
