I'm working on an app that connects to a MQTT mosquitto broker, running a secure TLS connection with a self-signed, user-defined CA cert is an important feature of the app. This question is asking about the best practices related to usage of such CA certs in an app.
First, is it okay to embed a certificate in an app, so that the android system doesn't even know about it? Or should Android always know what CA cert are trusted by the application?
Second, it's possible to install a user CA root certificate in the system, those are then visible under Trusted Credentials -> user or under Credential storage -> user certificates. In that case, should a user CA cert be installed on the system and then somehow passed to the app, or should it be accessed by the app directly from files storage?
Third, how can one access the CA cert in any of above cases in a way that required by mosquitto? Mosquitto can only read a path to a file. Files paths are rather a tough matter for Android, aren't they?
TLDR; mosquitto requires a path to a CA cert, how can one provide it on Android?
Here are my guidelines in handling CA certificates in Android connecting to the Mosquitto MQTT Broker.
First - To embed certificate
It is generally not recommended to embed CA certificates directly in the app, as this may pose security risks. Android system should be aware of the CA certificates trusted by the application for better security practices.
Second - Installing CA root certificate
Installing a user CA root certificate in the system is a more secure approach and the app should access the CA certificate from the system rather than embedding it directly. This certificate can be visible under Trusted Credentials or Credential Storage in system settings.
Third - Accessing the installed CA certificate
The app can use the Android Keystore or equivalent secure storage to store and retrieve certificates. Accessing the CA cert directly from file storage within the app is an acceptable approach if security measures are implemented.
Fourth - Providing CA cert path to Mosquitto
Since Mosquitto requires a path to a CA cert, Android's file paths can be used, but you need to handle them carefully. You can use the getFilesDir() method to obtain the path to the app's internal storage directory. Alternatively, you might consider storing the CA certificate in external storage, but ensure proper security measures.
Secure and Isolated storage for Certificates
Android Keystore: Store your CA certificate securely in the Android Keystore using the KeyStore API. This ensures that the certificate is protected and can only be accessed by your app.
Limiting Access: The Android Keystore is designed to be isolated between apps, so other apps should not have access to the keys and certificates stored in your app's Keystore. By default, data stored in the Keystore is private to your app.
Implementation: Utilize the KeyStore and KeyPairGenerator classes to generate and store the key pair securely. Retrieve the CA certificate from the Keystore when needed for connecting to the Mosquitto MQTT broker.
Security Considerations: Ensure that you follow best practices for key and certificate management within your app. Implement proper error handling and security measures to protect the integrity of the stored CA certificate.
I hope this helps!!