how to make http connection using ndk?

[Hitendrasinh Gohil]

Hi,

I am using sdk and now i have need to make http connection in ndk.can
anybody help me how can i make http connection using ndk?

[Tim Mensch]

On 7/4/2011 10:48 PM, Hitendrasinh Gohil wrote:
> I am using sdk and now i have need to make http connection in ndk.can
> anybody help me how can i make http connection using ndk?

Either link in an HTTP library (that you also build) or use JNI to
connect with the Java library.

Tim

[Hitendrasinh Gohil]

Hi,

I just want to do http operation in ndk and from my java class need to access.

something like..
this is my java class using jni.

public class NativeLayer
{
    static
    {
        System.loadLibrary("helper");
    }
    public native String doHttpConnection();
}

now i want my doHttpConnection method the http connection established and response should be return in java.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

--
Regards,
Hitendrasinh Gohil

[Tim Mensch]

Wait, you want to do an HTTP connection from Java? Why not just use the Java classes that Android supplies that already do that for you?

An HTTP connection isn't something that I would imagine would benefit from native speed (unless you're writing a spider or something else that really doesn't belong in an NDK app), so why the extra headache?

If you want to know what the Java classes are, look up org.apache.http -- but if you have questions about how to use those classes, you should direct them to android-developer, StackOverflow, or some site that talks specifically about the Apache HTTP bindings, since at that point it won't be an NDK question.

Tim

[Hitendrasinh Gohil]

hi,

I have already done it with sdk.but what i want is to make .so files for all these classess.These clasees contains the server urls and other secure things.

[alan]

putting them in a native class won't make it any more secure, the strings will still be stored in plain text in the library

[Tim Mensch]

On 7/5/2011 2:21 AM, alan wrote:
> putting them in a native class won't make it any more secure, the
> strings will still be stored in plain text in the library

You could put them into the C-code encrypted along with the key; it
would be "more" secure than doing the same thing in Java, since Java
decompilers will give you easier-to-read code than a disassembler. But
you could do JUST that part in the C library as well: Just have a
function that you call from Java using JNI that returns the appropriate
strings. That gets you 95% of the benefit, without having to rewrite
HTTP in C or go through JNI calls to Java for every request.

Tim

[Hitendrasinh Gohil]

Hi,

could you please give me links for any ndk material(tutorial,links,code snippets) that i can refer to do the same thing.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.

To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

--
Regards,
Hitendrasinh Gohil

[Tim Mensch]

The most basic hello-jni example shows how to take a C string and return it to Java. It's up to you to generate that string, of course.

Tim

[Hitendrasinh Gohil]

I am able to return a string or call functions in ndk from java through jno.but as  i have told i want  to add security at possible extent for the server urls and some functions.

Currently i am using the below code from sdk for http request.

httpCon = (HttpURLConnection) httpUrl.openConnection();
httpCon.setRequestMethod("GET");

if (httpCon.getResponseCode() == HttpURLConnection.HTTP_OK) 
            {
                is = httpCon.getInputStream();

                int ch;
                sb = new StringBuffer();
                while ((ch = is.read()) != -1) {
                    sb.append((char) ch);


                }
}

Same thing i want to do with ndk.so that i can return the string from here and can get it in java through jni.

[Tim Mensch]

Ummm....the code you quoted doesn't seem to include any URLs -- httpUrl is set before it gets there.

If you want the URL to be secret, why not load httpUrl with the "secret" URL from your JNI string reading function, which has somehow been obfuscated in C?

If you're dead set on doing HTTP via the NDK, well, it's your project. The BSD socket library is available, and you can probably find an HTTP client library that you can build. I don't know of one, though.

Tim

[Christopher Van Kirk]

Seems rather silly. Wouldn’t string encryption and java obfuscation be an easier answer?

---

No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1388 / Virus Database: 1516/3734 - Release Date: 06/29/11

[Christopher Van Kirk]

Ultimately, that's a fools errand because they can just as easily decompile
the java wrapper around that native class and then just use the library to
decrypt the key for themselves. As long as you have easily decompiled java
in the mix somewhere, you're going to be less secure.

If someone decompiling Java source is a serious enough threat to merit
additional security measures, then it's serious enough to merit real ones.
If it isn't, Java obfuscation + encryption is practically free and should
suffice to protect the data from most attackers.

-----Original Message-----
From: andro...@googlegroups.com [mailto:andro...@googlegroups.com] On
Behalf Of Tim Mensch
Sent: Wednesday, July 06, 2011 9:19 AM
To: andro...@googlegroups.com
Subject: Re: how to make http connection using ndk?

Tim

--

You received this message because you are subscribed to the Google Groups
"android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to
android-ndk...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/android-ndk?hl=en.

-----

[Tim Mensch]

Yes, that did occur to me. An alternative would be using JNI to call the
Java HTTP methods, but I don't want to be on the hook for providing
examples for that.

I'm not sure what would qualify as a "real" security measure, though,
short of a design that doesn't require any of the secrets to be on the
client.

Tim

[Grisha]

On 5 июл, 08:59, Tim Mensch <tim.men...@gmail.com> wrote:
> On 7/4/2011 10:48 PM, Hitendrasinh Gohil wrote:
>

> > I am using sdk and now i have need to makehttpconnection in ndk.can
> > anybody help me how can i makehttpconnection using ndk?

>
> Either link in an HTTP library (that you also build) or use JNI to
> connect with the Java library.
>
> Tim

How can I build HTTP library? Where can I take it?

[Stephen Williams]

The most popular, and one that is being used frequently on Android natively, is libcurl.

I worked hard last year to find a way in Android Java to get HTTPS, with a proxy, with SSL errors ignored (for debugging proxy enabled development, using Charles).  I did find a way, which I should publish soon, but it was not at all easy.  None of the standard ways to do it with generic Java work and most examples are obsolete or don't apply (JDK vs. Apache-based stacks).  Android's SDK API is essentially frozen when they decide an API is stable.  The HTTP related APIs were frozen at Android API level 1, however the Apache code they are based on has evolved quite a bit and the API is significantly different and better.  One of the things they fixed was proxy/error handling access...  You can run around quite a bit trying to discern which is the old vs. new API vs. what will compile in Eclipse vs. what will actually run on Android.

So, sometimes something like libcurl and native code handling networking isn't a bad idea.  Although it does work well enough in Java for most things.

Stephen

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

--
--
Stephen D. Williams s...@lig.net scie...@gmail.com LinkedIn: http://sdw.st/in
V:650-450-UNIX (8649) V:866.SDW.UNIX V:703.371.9362 F:703.995.0407
AIM:sdw Skype:StephenDWilliams Resume: http://sdw.st/gres
Personal: sdw.st facebook.com/sdwlig twitter.com/scienteer

[Tim Mensch]

On 8/11/2011 2:39 AM, Stephen Williams wrote:
> I worked hard last year to find a way in Android Java to get HTTPS,
> with a proxy, with SSL errors ignored (for debugging proxy enabled
> development, using Charles). I did find a way, which I should publish
> soon, but it was not at all easy. None of the standard ways to do it
> with generic Java work and most examples are obsolete or don't apply
> (JDK vs. Apache-based stacks). Android's SDK API is essentially
> frozen when they decide an API is stable. The HTTP related APIs were
> frozen at Android API level 1, however the Apache code they are based
> on has evolved quite a bit and the API is significantly different and
> better. One of the things they fixed was proxy/error handling
> access... You can run around quite a bit trying to discern which is
> the old vs. new API vs. what will compile in Eclipse vs. what will
> actually run on Android.

It sounds like you've resolved this problem already, but in case you're
still interested in the Java solution, I found it here:

http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/

You just import the signing cert and you can connect with a self-signed
HTTPS host. If that's not enough (not sure what you're doing with the
proxy?), you can create the socket factory with
ALLOW_ALL_HOSTNAME_VERIFIER, which should ignore the host name entirely).

Tim

[Stephen Williams]

I think the original question has been answered: use libcurl for NDK/native http networking.

Now we're talking about solving a different problem: using proxies and ignoring SSL errors in Java on Android:

I couldn't get certificates imported or loaded properly on Android.  Looks like good information at that link, but there are also comments from many people who had difficulties.  A lot of the problems I had were with using a proxy while ignoring SSL errors.  I believe it was reasonably easy to do either, but not both together.  With what I ended up with, I just make a call to disable each security feature and it works with no imports, etc.  Perfect for debugging.

In my situation, I could only use TLS to talk to the server, each XML-based request/response had to be signed and encrypted in a complicated way (OAuth like, but not different, using signing method I had to construct since Android didn't have it yet), and there was virtually no error result when anything was wrong.  And no access to server source code or logs.  Plus the application protocol was large, complicated, and evolving along with client app.  Layers of urlencoding to get right, etc.

I remember trying the ALLOW_ALL_HOSTNAME_VERIFIER and it didn't work for me.  Also, I needed to ignore errors about certificates not signed by a CA.  All, as I mentioned, through an http proxy while using TLS.

Charles has a self-signed CA cert you can import, and it will automatically take care of it for local browsers, etc., but not easy to get working with Android.

Stephen

--

You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

[Tim Mensch]

On 8/11/2011 12:43 PM, Stephen Williams wrote:
> Charles has a self-signed CA cert you can import, and it will
> automatically take care of it for local browsers, etc., but not easy
> to get working with Android.

OK, well, I was able to get it to work with a free cert from
https://www.startssl.com, but I had to import their CA chain which is
not built in to Android devices. Since I got the rest of it to work,
changing to ALLOW_ALL_HOSTNAME_VERIFIER should have prevented it from
having problems with a proxy.

But if your solution works, then run with it. :)

Tim