Tag Archives: android

Custom CA certificates & Android

62 Replies

With the number of servers I have internally, I have setup my own Certificate Authority and sign all my internal SSL certificates against this private CA.

This offers the useful advantage of being able to import the one CA certificate into all my devices and then being able to validate all connections to remote systems – if you run more than one or two personal servers, I’d highly recommend this approach – certificate signing takes a little bit of getting used to, but it’s a good skill to have.

As I want to access a number of systems via my Android mobile, I needed to import this CA file – the following instructions were followed with ICS release 4.0.3, however it may apply to earlier/later releases as well.

If you’ve followed most typical instructions for building your CA, you will have an PEM encoded CA certificate file in ASCII format. This is fine for import into most browsers and desktop OSes, however Android is particularly fussy with it’s input and requires a binary format only.

You can convert the CA PEM format file with the following command:

openssl x509 -inform PEM -outform DER -in CA.pem -out CA.crt

Then transfer the generated CA.crt file to the sdcard – easiest is via adb:

adb push CA.crt /sdcard/

Once done, you will be able to tell Android to install the CA file via Settings -> Security -> Credential Storage and selecting “Install from storage” and following prompts.

To verify functionality, easiest test is to access an https website signed with your CA certificate via the browser.

Some commenters have had issues - here is me importing a valid CA cert in DER format.

Some commenters have had issues – here is me importing a valid CA cert in DER format.

Android VPN Rage

3 Replies

Having obtained a shiny new Nexus S to replace my aging HTC Magic, I’ve been spending the last few days setting it up as I want it – favorite apps, settings, email, etc.

The setup is a little more complex for me, since I run most of my services behind a secure internal VPN – this includes email, SIP and other services.

 

On my HTC Magic, I ran OpenVPN which was included in Cynogenmod – this is ideal, since I run OpenVPN elsewhere on all my laptops and servers and it’s a very reliable, robust VPN solution.

With the Nexus S, I want to stick to stock firmware, but this means I only have the options of a PPTP or IPsec/L2TP VPN solution, both of which I consider to be very unpleasant solutions.

I ended up setting up IPsec (OpenSwan) + L2TP (xl2tp + ppp) and got this to work with my Android phone to provide VPN connectivity. For simplicity, I configured the tunnel to act as a default route for all traffic.

 

Some instant deal breakers I’ve discovered:

  1. Android won’t remember the VPN user password – I can fix this for myself by potentially moving to certificates, but this is a deal breaker for my work VPN with it’s lovely 32-char password as mandated by infrastructure team.
  2. Android disconnects from the VPN when changing networks – eg from 3G to wifi….. and won’t automatically reconnect.
  3. I’m unable to get the VPN to stand up on my internal RFC 1918 wifi range, for some reason the VPN establishes and then drops, yet works fine over 3G to the same server.

 

I love Android and I suspect many other platforms won’t be much better, but this really is a bit shit – I can only see a few options:

  1. Get OpenVPN modules onto my phone and setup OpenVPN tunnels for the stock firmware – for this, I will need to root the device, compile the Nexus kernel with tun module support, copy onto the phone and then install one of the UIs for managing the VPN.
  2. Switch to Cynogenmod to gain these features, at the cost of the stability of using the stable releases from Google/Samsung.
  3. Re-compile the source released by Samsung and apply the patches I want for OpenVPN support in the GUI from Cynogenmod.
  4. Re-compile the source released by Samsung and apply patches to the VPN controls in Android to fix VPN handling properly. Although this still doesn’t fix the fact that IPsec is a bit shit in general.

 

All of these are somewhat time intensive activities as well as being way beyond the level of a normal user, or even most technical users for that matter.

I’m wondering if option 3 is going to be the best from a learning curve and control perspective, but I might end up doing 1 or 2 just to get the thing up and running so I can start using it properly.

It’s very frustrating, since there’s some cool stuff I can now do on Android 2.3, like native SIP support that I just need to get the VPN online for first. :-(

Day 07 – Preferred smartphone platform. And which do you use?

1 Reply

This post is part of my 30 days of geek challenge.

Being an open source geek, it probably won’t surprise you that I’m a fan of Android, Google’s open source operating system for mobile phones.

I currently own an HTC Magic G2 running CynogenMod 5 (Android 2.1) and am loving it, whilst it has it’s faults (mainly this model lacks CPU/RAM) it’s a great little phone.

Incase you’re not familiar with Android,

  • Open source operating system developed by Google and released under an open source license.
  • Wide range of Android phones and devices (inc tablets and laptops) released by a variety of manufacturers.
  • Runs the Linux kernel and some open source libraries but doesn’t have the typical linux userspace, instead most of it is written in Java running on the Dalvik JVM.
  • Designed to be an open platform with the ability to install or distribute any application.

There’s a number of good reasons why I’d chose it over Win Mobile, iPhone or Symbian:

  • One of the more open platforms – most of the OS is open source and I can customise it or use other people’s modifications – ATM I’m running CynogenMod on my phone to take advantage of OpenVPN and some applications which require Android 2.x
  • Symbian and Win Mobile (version 6, I haven’t seen 7) is an entire generation between the new smartphone operating systems like Android and iPhone. And Apple’s products are far too locked down and restrictive for me to support them.
  • No forcing users to use a specific OS/application (eg itunes) just to load files or content onto the phone – just mount like a standard USB storage device.
  • Range of vendors providing huge selectivity of platforms.
  • Ability to develop for Android on Linux systems.

Android isn’t perfect though, there are certainly some limitations/problems that I’m not completely happy with:

  • Vendors/carriers implementing their own lockdown in the phone bootloaders to try and prevent users from running unauthorised kernels. (looking at YOU Motorola!)
  • Performance – a lot of the Android phones (particularly the earlier models) are very laggy, I suspect the CPU/RAM is just a bit too scarce compared to the actual requirements of the phone.
  • A number of components are still proprietary – such as Google apps (including the marketplace) and the telephony drivers for the server.
  • Google’s marketplace doesn’t clearly differentiate between proprietary or open source applications, making it difficult if you want to aim to only use open source applications.
  • Vendor variation and telco control.

This last point is a big issue for myself – Google allowed the vendors too much flexibility to customise the phones and still call them “Android”, what is already happening is that some vendors are reskinning or customising the firmware, whilst others are not releasing updates, so thatsome of the phones are stagnating on old versions of Android.

To make it worse, the telcos have control over update distribution rather than the vendors, so you have to wait for your telco to approve and push out updates and experience shows they aren’t the fastest or most efficient organisations.

But, despite some of it’s faults, over all it’s a pretty decent OS and certainly gives Apple a run for their money whilst utterly thrashing the older OSes like Symbian and WinMobile 6.

And it runs Linux ❤