[Tizen Application-dev] [Security-MIMT] Tizen Native HTTPS Server Certificate Validation

전영호 ykernel.jeon at samsung.com
Fri Dec 6 08:29:08 GMT 2013

Dear All,


I want to let you know something about Server Certificate Validation when
you HTTPS communicate through Tizen Native API


In order that Tizen Native Application HTTPS communicates through the Tizen
Native HTTP API, you need to implement the following listener interface, as
you know.

- “public Tizen::Net::Http::IHttpTransactionEventListener”



When you implement this listener in your class, you should implement
following method also ( If you want to HTTPS communitate )

- virtual void
IHttpTransactionEventListener::OnTransactionCertVerificationRequiredN (
HttpSession& httpSession, HttpTransaction& httpTransaction,
Tizen::Base::String* pCert )        


This method is called to accept input from the user on whether to resume or
pause the transaction in case the Server Certificate is not verified. 

The certificate for the server has been issued by an authority that is not
reliable by the Tizen device. 

This may mean that the server has generated its own security credentials,
which Tizen device cannot rely on for identity information, or an attacker
may be trying to intercept your communications. 

You should not proceed if this callback method has never been called in
this current URI.


For unreliable Server Certificate, you should call following method.

- HttpTransaction::Pause()


Or, you can also proceed through following method anyway. 

But, you have to have in mind that this way can induce an MIMT attack

- HttpTransaction::Resume()


Refer Link 1 (Using HTTPS) : https://developer.tizen.org/dev-

Refer Link 2 (OnTransactionCertVerificationRequiredN          API
Reference) : https://developer.tizen.org/dev-



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tizen.org/pipermail/application-dev/attachments/20131206/c6a86518/attachment.html>

More information about the Application-dev mailing list