1

I have my android application talking to the server which is protected by an SSL certificate. Below is the code for that.

final HttpPost httppost = new HttpPost("https://www.myurl.com");
final List<NameValuePair> postlist = Utils.HttpGetToHttpPost(Arguments);
httppost.setEntity(new UrlEncodedFormEntity(postlist));
final HttpResponse response = httpclient.execute(httppost);

Now my question is how do I prevent a MITM attack. How do I ensure that Im talking to myurl.com and not another url.

Improve this question

2 Answers 2

Reset to default
1

After some quick research...

Using the truststore that ships with java and using only ssl communication, might just be your best protection against Man in the Middle attacks. Java, out of the box, will throw an exception if it can't trust the certificate provided by the server.

Based on what I read it is hard for hackers to impersonate the key given to a site by a Certificate Authority.

I could be wrong though.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You could restrict the HTTPS hostname verify in this way:

SSLSocketFactory sf = new SSLSocketFactory(SSLContext.getInstance("TLS"));
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);

Please refer to JSSE Reference Guide for detail customization with Java SSL connection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.