-1

My application performs some HR related functions. When the user hits "apply leave" button, at the back-end it validates against employer credentials. If everything is fine then code is written that hits an Apache server (URL is over HTTP).

In order that every request from my application to the server should be done in secure way, we should convert that from Http to Https. I know the process in the case of web application to server, like installing the certs in server, but how I do that in case of mobile application?

  • 1
    This inst really a security question but rather a configuration question. I suggest to put it in serverFault.stackexchange. –  Jun 10 '15 at 17:43
  • Just make the URL HTTPS and buy a cert from a CA shipped by Google Android and iOS. If you want to use a self-signed cert, make it clear in your question (and also clarify if Android or iOS). @other mods, I'd be against sending a SSL programming question to stackoverflow/serverfault due to the high likelihood of OP being given insecure advice. –  Jun 10 '15 at 19:14
  • all i can say is wow – Tim Jonas Jun 11 '15 at 13:29

2 Answers2

1

Mobile applications are exactly the same here; they also simply use HTTP (or HTTPS) traffic to communicate with the server.

You may sometimes run into two issues. First, you may have http URLs hard coded throughout the site that inadvertently switch your users back to http. Second, you may have outside URLs (such as CDNs etc.) that don't use https.

A third issue is that it's not enough to simply turn on HTTPS and think you are all done. You will need to carefully tune the ciphers to avoid insecure configurations.

Kevin Keane
  • 860
  • 1
  • 8
  • 13
1
  1. Configuring apache is not only add certificate, but also configure SSL module, add also the key, and CA root chain. Check here for apache documentation
  2. Mobile applications usually reside behind web server so you can use (for example) apache+ssl as reverse proxy for the app
Romeo Ninov
  • 3,195
  • 2
  • 13
  • 16