4

For iOS-Apps, it is possible to use Certificate Transparency as stated here. We are developing native Apps for the different mobile platforms and are discussing to establish a more secure way of handling SSL-certificates.

Does anybody know if there is a similar way by Google to integrate Certificate Transparency into Android or make it usable by Android-Apps? At the moment, it seems that there is no implementation for Android and on certificate-transparency.org, there is also no Java-Client implementation that could be adopted (directly).

tysonite
  • 429
  • 2
  • 5
  • 14
Supahupe
  • 165
  • 4
  • I am not sure if this helps me. Does anybody know about something like a roadmap of Google about Certificate Transparency? I wonder because they established www.certificate-transparency.org but there are no information about how it could be integrated in the Android platform, while Apple developers can use a OS integration. – Supahupe Jul 25 '17 at 07:51

1 Answers1

2

Although Conscrypt has code to support Certificate Transparency there doesn't seem to be an easy way to use this in an app as Google don't expose the API. It is possible to use Conscrypt as a dependency however this isn't necessarily right for every app with its use of native libraries that need bundling and the need to set custom system properties.

I have been involved in writing the open source https://github.com/appmattus/certificatetransparency to alleviate some of these issues whilst providing easy configuration for use with OkHttp, HttpUrlConnection and Volley. You simply specify the domains you want CT to be enforced with and the library takes care of everything else, such as getting hold of an up-to-date log list.

appmattus
  • 136
  • 3