Android Question Encrypt HTTP without SSL

[Shay]

Hi

Since I cannot use SSL due to lack of support with SNI
I wish to encrypt my http post data, and php code to decrypt it on server side
and vise versa (php encrypt, phone to decrypt)

What is the best way doing it, while the code need to work also from Iphone using B4I (not mandatory)

 

[sorex]

if the data is using plain ascii chars and not some weird stuff you could just work with a char replacement table.

or you could use multiple ones and send the number of the one you used together with the request.

not ideal for full utf-8 text tho.

or zip it with or without password encryption.

 

[Erel]

The simplest solution is to use B4J instead of PHP and then encrypt with B4XEncryption libraries which are compatible by B4A, B4J and B4i.

Otherwise you need to implement an encryption method with the Encryption library.

 

[Shay]

I have no choice but to use php (hosted server)
So I will check the Encryption library (I guess this means using openssl)

Is there any pimplier solution such as doing MD5/hash on the post/response?

 

[Erel]

Hash functions do not encrypt anything.

 

[Shay]

Erel/Guys I need you help here
I manage to make this to work using
https://www.b4x.com/android/forum/threads/crypt-b4a-and-php.15715/#post-307571
but since this is not supported on IOS I need to switch to something that will work on B4J, B4A, B4i
simple encrypt/decrypt on my post, so wireshark cannot see the data in clear text
what do you suggest? any code example?

 

[sorex]

try that char replacement method I wrote about last week.

it's easy, will work on any system and your text will be scrambled thus unreadable, you can even replace the chars with ascii save signs like ,;:?./()&@#'! etc

 

[KMatle]

I can help. I've done an App to App communication (RSA) with Agrahams library. On the php side I know how to use RSA, too.

What I don't know is to convert the keys (lib vs. Server). I need assistance here. Just a small step away...

Will post further details tomorrow...

 

[sorex]

notice that he aims for IOS aswell and there's not much available besides Erel's libs

that's why I opted for a simple scramble.

 

[KMatle]

Ok :-(

 

[Erel]

You can use B4XEncryption for a cross platform solution.

 

[Shay]

if I use B4XEncryption, how do I decrypt the POST on the PHP server? (and then encrypt it back to the app)

 

[Erel]

It is not so simple to implement it in PHP.

The interface is:
8 bytes - salt
16 bytes - IV
The rest is the encrypted data.

128 bit Key is created from the password and the salt with 1024 rounds (based on SHA-1).
The data is encrypted with AES/CBS/PKCS5Padding.

 

[KMatle]

What we really need here is RSA because it's a problem to communicate with more than one client and even worse to exchange the keys with other methods like AES or DES.

RSA is standard for Server encryption (SSL AND non SSL). So it will be a huge step to implement this.

@Erel: I got stuck to make the keys (b4a and Server) byte compatible. Will need some help here and post some examples at the weekend.

 

[aeric]

Can we use any open source but secure SSL to transfer clear text password or information through http?

 

[Erel]

HttpUtils2 works with https connections.