Jump to content
Sign in to follow this  
Axxel H

Enpass 6 Android and self-signed CA

Recommended Posts

I'm trying to connect the Enpass 6 Android beta to a WebDAV server  that has a self-signed certificate issued by a self-signed CA. The CA is installed and trusted in the Android certificate store and works without issue in apps that reference that. This works in Enpass for Mac, but doesn't in Android without enabling "Bypass SSL certificate verification".

The release notes for Enpass 5.5.5 indicate that self-signed certs should work, but it doesn't indicate what the expected behavior is. Is needing to enable cert verification expected on Android? Does Enpass at least remember the prior certificate so that man-in-the-middle attacks are not possible?

 

 

Share this post


Link to post
Share on other sites

The device is a OnePlus 5 with Oxygen OS 5.1.5 (Android 8.1.0) running Enpass beta 6.0.0.58 (the latest available from the Play Store).

The certificate chain is as follows: webdav server -> intermediate CA -> root CA (self signed). Both the root and intermediate CAs are installed in the Android security storage for credentials. The Webdav server serves the full cert chain (cert and all CAs). Again, this works fine with the Enpass 6.0.0.220 Mac client.

Your response makes me believe this is expected to work, but while you debug can you explain exactly what "Bypass SSL certificate verification" does? There are two interpretations:

- It might mean that no verification is performed on initial connection, but subsequent connections must use the same cert. This is safe enough for my purposes, as it is not subject to man-in-the-middle attacks.

- It might mean that no certificate verification is performed, and that any certificate can be used and changed at any time, which means man-in-the-middle is a potential issue.

Which interpretation does Enpass Android use?

 

Share this post


Link to post
Share on other sites

I've conducted a few more experiments, and the results are disappointing:

- It appears the problem is not with the intermediate CA, using a cert issued by the root CA fails as well.

- It appears the "Bypass SSL certificate verification" option prevents all subsequent SSL verification, offering no man-in-the-middle protection. I was able to introduce a new self-signed cert not issued by any trusted CA and Enpass beta 6.0.0.58 continued to sync with the server without error.

Can you confirm this is either a bug or expected behavior?

Share this post


Link to post
Share on other sites

After encountering problems with self-signed certs in a different app, I'm reasonably sure this is the issue:

https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

Related discussion here:

https://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device
https://developer.android.com/training/articles/security-config

I'd encourage you to consider adding the exceptions to allow self-signed certs, at least as an option. Other apps I use with NextCloud appear to have done this (CardDAV sync, for example). I'd imagine that other folks running private nextcloud/owncloud/etc. will encounter this issue. While there are security tradeoffs mentioned in the documentation, its not clear there's a better solution for WebDAV sync on Android that doesn't have other concerns (certificate costs, Let's Encrypt 90d expiration, etc.).

 

Share this post


Link to post
Share on other sites

@Anshu kumar

Using Android version 6.0.0.93 I'm now getting an error when connecting to Nextcloud that explains the certificate is not trusted, so that's an improvement in the error messages.

However, as I indicated the cert is trusted in the user store so I think the problem is the rules around user certificate trust. Again, I'd encourage you to consider allowing self-signed certs with the links I provided above.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...