Home Network SSL Checker

Android application to check network connectivity with strict certificate checking

What is this for?

The standard Android applications for mail, calendar, contacts etc. can synchronize against SSL-protected servers but have no option to check their certificate. Basically, it is possible to either check if the certificate is issued by one of the standard (not user-editable) CAs, or not check them at all. This is not enough to reliably assert the identity of the server, which presents the risk of giving sensitive information (account passwords) to the wrong server. This problem is especially important when the server is on a semi-permament connection and found via dynamic DNS, uses self-signed or private-CA certificates, or when using public WiFi hotspots (which are rather trivial to fake and therefore are a regular MitM-attack vector).

This app checks in configurable intervals if a given HTTPS URL is reachable and the server identifies itself with the right certificate. It consists of a home screen widget displaying the status with colored "signal lights":

When checking and when an error happens, the global synchronization setting is turned off. This way you should be reasonably safe that the synchronization does not try to connect to a server whose identity is not verified, given it is the same server as the one you check.

Usage

After installing the app, you get to the configuration screen. Select how often you want to check, on which network connections you want to check and whether to globally activate synchronization after checking.

You have to configure a checking URL and provide a certificate. It is assumed that the server you synchronize against can also deliver a simple web page via HTTPS. If you follow the recommendations below and synchronize against an ownCloud instance, just check against the root of the server where it is running. All the check does is to load this URL and check its certificate, like you would do with a browser. See the document on server configurations for details.

You need the public certificate of the CA who signed the server certificate, or the self-signed certificate if the server uses one, or just the server certificate itself (the latter works only with Android 4.0 or later). Put this certificate as .CER file on our device's USB memory or memory card. From the configuration screen you can select the certificate. (This looks like the same procedure as installing a certificate for VPN use, but it is subtly different: here you need the public certificate only; therefore you need a .CER file and not a .P12 file. Also there are no passwords involved.) A .CER file is what you get from Windows when exporting a certificate, with OpenSSL this is called a PEM file (the app will accept either file extension).

If everything is configured, install the application widget onto the home screen: depending on your Android version, use the Widgets tab of the Apps menu, or a long-click on the home screen. Make sure to install the widget, not the app launcher: if you see red and green at once, you got the wrong one.

Copyright

Copyright 2011 Olaf Titz <olaf81825@googlemail.com>
This application is distributed under the GNU General Public License.