How to do an HTTPS POST from Android?

java android ssl https httpsurlconnection
DJM picture DJM · May 12, 2013 · Viewed 56.8k times · Source

I want to do a HTTPS post method to send some data from my android app to my website.

I used HttpURLConnection first and it's working fine with my HTTP URL. My production website is on HTTPS and I want to send the same POST using HttpsURLConnection. Can someone help me use the class properly?

I found some source at this link:

KeyStore keyStore = ...;    
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");    
tmf.init(keyStore);

SSLContext context = SSLContext.getInstance("TLS");   
context.init(null, tmf.getTrustManagers(), null);

URL url = new URL("https://www.example.com/");   
HttpsURLConnection urlConnection = (HttpsURLConnection)
url.openConnection();   
urlConnection.setSSLSocketFactory(context.getSocketFactory());   
InputStream in = urlConnection.getInputStream();

What should be the value of KeyStore keyStore = ...;?

I tried sending the data using the same HttpURLConnection, but I am seeing some POST data is missed or in error.

I've tried the method from this question. I am pasting my code below

String urlParameters="dateTime=" + URLEncoder.encode(dateTime,"UTF-8")+
    "&mobileNum="+URLEncoder.encode(mobileNum,"UTF-8");

URL url = new URL(myurl);
HttpsURLConnection conn;
conn=(HttpsURLConnection)url.openConnection();

// Create the SSL connection
SSLContext sc;
sc = SSLContext.getInstance("TLS");
sc.init(null, null, new java.security.SecureRandom());
conn.setSSLSocketFactory(sc.getSocketFactory());
conn.setConnectTimeout(HTTP_CONNECT_TIME_OUT);
conn.setReadTimeout(HTTP_READ_TIME_OUT);

//set the output to true, indicating you are outputting(uploading) POST data
conn.setDoOutput(true);
//once you set the output to true, you don't really need to set the request method to post, but I'm doing it anyway
conn.setRequestMethod("POST");
conn.setFixedLengthStreamingMode(urlParameters.getBytes().length);
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");

PrintWriter out = new PrintWriter(conn.getOutputStream());
out.print(urlParameters);
out.close();

InputStream is = conn.getInputStream();
BufferedReader in = new BufferedReader(new InputStreamReader(is));
String inputLine;
while ((inputLine = in.readLine()) != null) {
  response += inputLine;            
}

The error I am getting is below:

05-12 19:36:10.758: W/System.err(1123): java.io.FileNotFoundException: https://www.myurl.com/fms/test
05-12 19:36:10.758: W/System.err(1123):     at libcore.net.http.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:177)
05-12 19:36:10.758: W/System.err(1123):     at libcore.net.http.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:270)
05-12 19:36:10.758: W/System.err(1123):     at .httpRequest(SMSToDBService.java:490)
05-12 19:36:10.758: W/System.err(1123):     at com..access$0(SMSToDBService.java:424)
05-12 19:36:10.758: W/System.err(1123):     at com.$ChildThread$1.handleMessage(SMSToDBService.java:182)
05-12 19:36:10.758: W/System.err(1123):     at android.os.Handler.dispatchMessage(Handler.java:99)
05-12 19:36:10.758: W/System.err(1123):     at android.os.Looper.loop(Looper.java:156)
05-12 19:36:10.758: W/System.err(1123):     at com.$ChildThread.run(SMSToDBService.java:303)

Answer

tbkn23 picture tbkn23 · May 12, 2013

You can use the default CAs that are defined in the android device, which is just fine for any public web.

If you have a self-signed certificate, you can either accept all certificates (risky, open to man-in-the-middle attacks) or create your own TrustManagerFactory, which is a bit out of this scope.

Here's some code to use the default CAs for a https POST call:

private InputStream getInputStream(String urlStr, String user, String password) throws IOException
{
    URL url = new URL(urlStr);
    HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

    // Create the SSL connection
    SSLContext sc;
    sc = SSLContext.getInstance("TLS");
    sc.init(null, null, new java.security.SecureRandom());
    conn.setSSLSocketFactory(sc.getSocketFactory());
      
    // Use this if you need SSL authentication
    String userpass = user + ":" + password;
    String basicAuth = "Basic " + Base64.encodeToString(userpass.getBytes(), Base64.DEFAULT);
    conn.setRequestProperty("Authorization", basicAuth);
    
    // set Timeout and method
    conn.setReadTimeout(7000);
    conn.setConnectTimeout(7000);
    conn.setRequestMethod("POST");
    conn.setDoInput(true);
    
    // Add any data you wish to post here
    
    conn.connect();
    return conn.getInputStream();
}

To read the response:

String result = new String();
InputStream is = getInputStream(urlStr, user, password);
BufferedReader in = new BufferedReader(new InputStreamReader(is));
String inputLine;
while ((inputLine = in.readLine()) != null) {
    result += inputLine;            
}

Related questions

Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error

I am trying to do a simple HttpGet to read a webpage. I have this working on iOS and working on Android over http, but not https. The url is an internal network IP and custom port, so I can …

Read More
javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:

I am trying to use HTTPS connection with self-signed certificate. I have followed steps of creating self-signed certificate as mentioned here - Creating Self-signed certificate. Everything works fine even in browser, it only shows me a message that my certificate …

Read More
Enabling specific SSL protocols with Android WebViewClient

My application uses WebViewClient to make SSL connections to the server. The server is configured to only accept TLSv1.1 and above protocols. 1) How do I check which SSL protocols are a) Supported and b) Enabled by default when using Android …

Read More