cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Mobile instrumentation and SSL

vladislav_samoy
Inactive

Hi all!
Customer has production environment and full copy of it in test environment. Test environment contains web certificate from production and of course browser throws warning while connecting to web-site using IP. Customers android apk using IP address of test web server to work with this application. I tried to instrument APK with a different ways to work with our agent on webserver via https (IP, hostname etc) but I think our library inside APK cannot send data via https if certificate is not valid for webserver. There is no way to use http instead https.

Using usual web browser I can see that our js is working and the agent intercept dynaTraceMonitor URI

I tried to instrument this APK and send the data to my easyTravel web server agent and it works fine.

Need community help to solve this. Thanks a lot for any ideas.

5 REPLIES 5

roman_spitzbart
Dynatrace Pro
Dynatrace Pro

The initialization method of the ADK has a parameter if any certificate is allowed (Android - useAnyCert / iOS - allowAnyCert). Have you set that to true for your app?

yes, but it still does not work. I works with http, but not with https

aaron_wallace2
Inactive

When using SSL, the mobile ADK performs two different types of checks when connecting over a secure link:

  1. Validation of the SSL certificate chain. This means that the certificate received from the web server must be chainable to a valid Android root certificate. Sometimes this requires the addition of the proper intermediate certificates to the SSL certificate on the web server. (Usually not necessary, but some certificate issuers do not include the intermediate certificates needed by Android).
  2. Hostname validation. This means that the hostname in the certificate received by the web server MUST match the name used during the connection. For example, if the ADK attempts to connect to www.company.com. the identity on the certificate must be www.company.com. If you use the IP address, or a server alias, or anything that does not match the certificate exactly, the SSL handshake will fail and the agent will be disabled.

Both of these are put in place to prevent the interception/snooping of customer data, as well as man-in-the-middle attacks.

In a test environment, you can work around #1 by, as Roman S. pointed out, setting the 'allowAnyCert=true' flag. You can always set allowAnyCert=false once the app moves to production.

For #2, make sure that you are connecting to the server using the hostname in the SSL certificate instead of an alias or an IP address.

vladislav_samoy
Inactive

ok. We finally managed to send EUM data from device to webserver agent, but where is no link between user action and server-side data. We cannot do anything else because we do not have access apk developer at this moment

Hi,

we are also facing same issue.. can you please suggest how you resolved the issue.?

regards,

Bhavin Shah