Use TLS/SSL with our Android library

Use TLS/SSL with our Android library

Some time ago we added SSL/TLS support to our Android library. This feature allows you to use a secure communication channel between the library and the VirtualHub v2.0 (still in BETA) or the GatewayHub. Using this new feature is quite simple, but requires some tricks if you are using a Self-signed certificate on the VirtualHub.




Unlike the C++, C#, Python and VisualBasic .NET libraries, the Android library did not require a major change to add SSL/TLS support. For this reason, we have added this functionality in the current version of the library. This means that if you are using a recent version of our Android library, you can already use this feature.

SSL/TLS support


To use a secure connection, simply add the "wss://" prefix to the VirtualHub or GatewayHub address when calling YAPI::RegisterHub. The WSS prefix stands for "WebSocket Secure" and configures the library to communicate using the WebSocket protocol over an SSL/TLS encrypted connection.

Here is the code to initialize a connection with a VirtualHub v2.0 in secure WebSocket.

...
try {
  YAPI.RegisterHub("wss://vhub.example.com");
} catch (YAPI_Exception e) {
   e.printStackTrace();
}
...



Note that it is also possible to force the use of the old HTTP protocol but using an encrypted connection using the "https://" prefix

...
try {
  YAPI.RegisterHub("https://vhub.example.com");
} catch (YAPI_Exception e) {
  e.printStackTrace();
}
...



In both cases, the Yoctopuce library takes care of encrypting the transmitted data.

The rest of the functionality of the library is unchanged. To summarize, it is sufficient to add the correct prefix to the VirtualHub address when calling the YAPI.RegisterHub method to use an encrypted protocol.

Self-signed certificates.


The preceding code works fine on a web server with an SSL/TLS certificate  validated by a certification authority, but often we do not need this level of confidence and we use self-signed certificates.

Because Android's cryptography layer cannot validate the SSL certificate with a CA, the call to YAPI.RegisterHub throws an exception with the message "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found".

To solve this problem, add the self-signed certificate to the list of certificates that your Android application considers valid. To do this, add an "android:networkSecurityConfig" attribute to the "application"" tag in the application manifest.

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                   ... >
        ...
    </application>
</manifest>



The value of this attribute is the path of an xml file stored in the resources, in our case "network_security_config.xml". This XML file contains the list of self-signed certificates that are accepted by the application.

For each certificate, a "domain-config" node must be created. This node contains a "domain"" sub-node which fills in the host name or IP address of the VirtualHub. You must also add the file name of the corresponding certificate in the "certificates". In our case, the virtualhub_crt certificate located in the res/raw/ subdirectory.

<!--?xml version="1.0" encoding="utf-8"?-->
<network-security-config>

    <domain-config>
        <domain includeSubdomains="true">192.168.99.97</domain>
        <trust-anchors>
            <certificates src="@raw/virtualhub_crt"/>
        </trust-anchors>
    </domain-config>

</network-security-config>



The last step is to copy the certificate used by the VirtualHub into the res/raw/ subdirectory.

To retrieve this certificate, you can copy it from its location on the machine running the VirtualHub. By default, it is the file %AppData%/Yoctopuce/VirtualHubV2/.virtualhub.crt under Windows or ~/.virtualhub.crt under Linux.

The other solution is to access the VirtualHub or GatewayHub interface using a Web browser. Next to the URL, there is usually a small padlock that allows you to view the certificate used. When the certificate is displayed, there is a link to download it.

Note that the operation of the Android resource system does not allow referencing a file that contains the "." character. It is therefore necessary to rename the certificate to remove the extension before copying it.


Once these steps are completed, it is possible to use a secure connection with the host:

...
try {
  YAPI.RegisterHub("wss://192.168.99.97");
} catch (YAPI_Exception e) {
   e.printStackTrace();
}
...



Limitations


For the library to be able to establish an encrypted link, both parties must support SSL/TLS. Currently, only VirtualHub v2.0 and GatewayHub support this feature. It is therefore not yet possible to use this feature to communicate with a YoctoHub.

Add a comment No comment yet Back to blog












Yoctopuce, get your stuff connected.