IssueTracker

Solving this issue may also go some way to solving the needs of those moving from
WinMo to Android with corporate resources such as Office Communicator (OCS client)and
Outlook Web Access.  Many large enterprises secure these web-based services with
client certificates. This is a significant problem to the adoption of Android OS
smartphones by corporate users.

I switched to Android several months ago and would also find this extremely useful,
especially at work. At corporate world, client side certificates are sometimes a must...

Actually iPhone safari and Windows Mobile Internet explorer mobile support this function, client
authentication in SSL. Only Android default browser don't support this function and seems don't have a
plan for this function. It's very import feature for entherprise environment.  

Client certificates in the browser would be very helpful at my educational
institution.  Many of our internal websites request client certificates, and it
would be great if the native android browser could work with these sites.

I do understand that this may be non-trivial.

Off the top of my head, features that would be useful are:
* Ability to add an internal private CA to the browser's list of trusted CAs
* Ability to add one or more client certificates to the browser certificate store
* Ability for the browser present a client certificate to sites that want one.
(It would be great if the Android browser can handle both sites with Apache
directive "SSLVerifyClient required" and sites with "SSLVerifyClient optional" -
Mobile Safari doesn't appear to support the latter.)

Adding my vote.  We need client cert authentication to elevate previously untrusted
evices to some form of managed trust.  This is a must for enterprise security.

This is the last major issue I have with any mobile device in my organization.  We
must use client certificates.  I have a private 3 tier MS PKI.  Both Iphone OS and
Android are ALMOST there with TLS, some apps can use like touchdown and activesync on
the Iphone (not Andriod).... The browser seems to be the problem with all of them. I
need to use a certificate to access all of our work published internet applications.

Same here

[Comment deleted]

I don't know why Androit still do not have this option but my first smartphone which had Win2003 OS had this!!!
I hope that this will be included in Froyo(2.2)...
Without this I can't:
-Use bank pages
-Manage servers
...

This is very important feature. As agree with dejan.bukovec that how come Windows Mobile has had this for years, and now a brand new platform lacks this kind of elementary feature. Hope this gets addressed soon.

Same here

This feature should not have been left out to begin with. So much of the infrastructure of my employer requires the use of client side ssl certs that my use of android for daily tasks is severely limited.

[Comment deleted]

I also require this feature to view corporate email using OutLook Web Access (owa)

I am also voting for this feature.  I would like to present some sensitive information on an android and need as much authentication as possible.

A 'must have' for my work at university: still not available in 2.2, but I hope to see it soon!

Please let us know the website which you are trying to open the in Android browser.

@manish.inspired: Any website that requires client certificates for authentication, as mentioned in original post. In my case, it's the private admin sections of my site (http://www.gpf-comics.com/); forgive me if I don't publish the direct URL to those hidden pages. ;) However, it uses standard client certificate authentication modules using Apache, mod_ssl, and OpenSSL, a published Internet standard since SSL v3. I have a private certificate authority which I use to sign my own client certs, which I then distribute to the browsers I wish to access the secured pages from. This works just fine in Firefox 3.x without a hitch. Android 2.1 will let me import these client certificates into the built-in certificate store as specified in the original post, but the browser will not use it for authentication when I attempt to access the secured site.

Most of the situations the other users have described should be similar. I imagine most of the enterprise folks are using Microsoft's certificate services rather my Open Source solution, but it should operate fundamentally the same.

@manish.inspired:
I found the corresponding issue on the chromium project:
http://code.google.com/p/chromium/issues/detail?id=318
There you can see some examples including a suggestion about testing it with cacert.org where you can actually request a client certificate for free and test with e.g. https://secure.cacert.org/ .

Perhaps the Chromium or even Firefox implementation may be useful, too?

@manish.inspired
Any of my university's internal sites that require me to present a personal certificate for access. As explained by a few previous posters, Android 2.1 will import the personal certificates into the OS's certificate store, but browsers will not present the certificate to sites that request it.

@manish.inspired: an internal system using a proprietary server--but one that works w/o problem in Firefox and IE. We use certs issued by our own CA.

<quote>
Comment 17  by manish.inspired, Aug 02 (5 days ago)

Please let us know the website which you are trying to open the in Android browser.
</quote>

Try: https://auth.startssl.com/

Thanks!

[Comment deleted]

Using https://auth.startssl.com requires you to obtain a client cert from them first, which is free :-)
I'm really surprised that the browser doesn't include this client side auth method yet as it is quite old and very useful.

This really is a fundamental issue if Android is to be taken seriously in the enterprise.  Certificate auth is neither a new technology, nor a particularly challenging or flashy one.  Please move this up to a high priority.

Without a client SSL cert in the browser on android, we have to use a laptop for all of our sales reps, just to look up customer information (amond MANY MANY other things)... with a client cert we could actually reduce our costs, and provide better service!
Why was this left out?  What was the actual reason, it can't be that hard to have the browser send client certs, and is an absolute necessity for any enterprise deployment? (in more than just an email application)
I agree with danjeffery, can this be moved up to high priority (hopefully with an ETA)?

I would like this to be a high priority.  

CM6 has this support now.  Please integrate the patch into the standard release!

I would love to see this feature.

Our company's internal websites are protected by https + self signed CA certificate + client certificates.
At the moment i cant access any protected website from my HTC Desire.

Agreed with all posts here. I am eager to see this available and want this with HIGH priority. Shame you have cert store at your disposal and can import certs, but its useless as the browser does not look up the cert store and pull a list of available (installed) certs when a page requests one.
C'mon guys, lots of ppl need this functionality. Dolphin , Opera ...why work on tabs , compression , etc, when you should port this amongs one of the first things

I need this feature too. Its really important for business use!

I would like this to be a high priority too.

I really need that too. Can't access my company's website and email. Please implement that!!

agreed with everything above, need this feature too!

Very high priority.

Without client certificates I can't access the companies web page.

It should be possible to password protect the client certificate.

We'd like to equip our team members working in the field with Andriod phones in
order to connect certain web servers (all of them protected with client certificates)

With the current state using Android is a no-go for our projects.

My school also uses client certificates. It would be extremely useful to handle my finances and registration using my droid.

same here...

People, staring this issue is really the equivalent of saying "me too".  Can we try to keep comments to things that actually add to the discussion (ie new ways client certs can be use) and not rehash the same thing over and over? It will make it easier for the developers to ascertain the real content here.

need this feature too!

I have the same problem. My company uses self signed CA certificate + client certificates to limit access to internal website. I could import both of them, but it looks that they are not used by built in browser in my HTC Desire(Eclair)

Greetings. I'm working with an environment which is deployed within the US Department of Defense where client certificates are required on all web servers.

We cannot develop an Android based application without the ability to add client certificates and additional CA certificates. The current 2.0 implementation that lets us import them is fine, but when they are not used anywhere, there's really no point in importing them.

This is a show stopper for us on the Android platform.

clinton.goudienice, if you are developing an application, individual applications can define setup their own javax.net.ssl.SSLContext with a KeyManager that supplies client certificates and a TrustManager that provides additional CAs. That is how third-party applications such as Nitrodesk Touchdown are able to do client-certificate support for Exchange.

Thanks b...@google.com. We are in the process of investigating just that, however it represents a problem for using the browser directly to hit anything.

clinton.goudienice, I'm not sure if a WebView embedded in the application itself can specific a different SSLContext instead of the default one. There are alternative browsers that reuse varying amounts of the Android framework. For example, the Firefox beta seems to completely do their own thing. Opera does things server side, but won't work with intranet apps which might be a DoD requirement.

I assume that everyone here is talking about devices purchased from carriers and running OOTB software. It's been so long since I've run vanilla Android that I'm not sure what the permissions look like on the stock software, but at least with root access, you should be aware that you can do the following:

There is a BountyCastle trust store at /system/etc/security/cacerts.bks. With access, you can add your own CA certificates to this.

While there are indeed built-in & third-party APIs for performing client certificate authentication, please bear in mind that this issue is specifically about the deficiency of this feature in the Android built-in browser which, as far as I can still, still has not been addressed. I'd rather take advantage of my existing interface rather than completely rebuild it as an app, and I know I'm not looking to write a full browser just to access my admin interfaces remotely.

jeff.darlington, I expect improvements to the built in browser as part of http://code.google.com/p/android/issues/detail?id=11231.

this feature have to be included in android mobiles for its long going i am having too much difficulties as all my office work or say web applications depend on client certificate

After loving my Motorola Droid since I got it, this is beginning to be very frustrating for me.  I was forced to go with two phones, BlackBerry for work, Droid for everything else.  Work now supports iPhone, which supports client cert auth, and now that Verizon is launching iPhone, I may have to give in to the dark side and get one, since it will support all the features I need.

Under Mozilla Fennec/Mozilla Firefox for Android this is already possible:

https://support.mozilla.com/bg/questions/786035#answer-142961 

https://market.android.com/details?id=org.sandrob

but currently works only on API level 8 (2.2)
add new urls with Bookmarks->Add new

@Comment 50: The process for adding client certs to Firefox for Android looks pretty convoluted, and at a minimum it seems to require using ADB to get the certificate store on and off the device. I haven't tried it myself, but it might even require root access; I'm not sure if just turning on debugging will do. While it might work for tech savvy tinkerers and developers, it's certainly not going to work for corporate IT staff or moderately advanced users. Mozilla's going to have to make that process easier before anyone is going to seriously use it.

@Comment 51: Based on your user name, it looks like you're the developer for SandroB. While I thank you for your efforts and work on this, I'm a little confused. You've created a Google Code site for your project, but there's no code in the repository. Are you planning to release this code anytime soon? Considering that the original Android browser is Open Source, that you've selected an Apache license for the project, and that security is often improved by openness and peer review, I'm hoping you plan to provide access to your code so others can vet it. Considering how few downloads and little feedback you have in the Market so far, I know being able to peruse the source would put my mind more at ease on the security of your product. Without further scrutiny, how do I know that, for example, my unencrypted certificates aren't being spirited away to your private server after I've installed them?

I'm glad *someone* seems to be taking some initiative in this area. Based on the comments in Issue 36921330:

https://code.google.com/p/android/issues/detail?id=11231

it seems to me that *if* client certificate support ever makes it into the official Android browser, it's going to end up being in a future version of the OS and most of us with existing devices will be left in the cold until we decide to upgrade our devices with our carriers. I've never liked being held at the mercy of manufacturers, carriers, or anyone else when it comes to my security and privacy, but Google and its partners aren't giving us much of a choice. If this vital feature has to come from the Market, then at least it's coming from *somewhere*.

@Comment 52:
I successfully followed the Mobile Firefox steps using just the usb cable for mounting my sdcard as an ordinary external disk on a linux box. It should be noted that the paths were actually Android/data/org.mozilla.firefox/files/mozilla/<random number>.default/X on the mounted disk instead of
/data/data/org.mozilla.firefox/files/mozilla/<random number>.default/X. The paths directly on the phone would correspondingly be /sdcard/Android/...
Furthermore I could only get it working when setting the passphrase empty during the pk12util import of my certificate. But at least I fianlly have a browser with certificate support on my Android now!
Mobile Firefox begins to look usable (stability and performance wise) in the latest beta, so maybe this is our best shot for now.
I think I recall reading somewhere that the NSS tools needed for native certificate handling in Mobile Firefox were not yet available, so maybe the ordinary user friendly certificate interface will be enabled later.

While I too had my doubts about installing a new and undocumented app for a secure task I took the chance and installed the sandrob browser on my HTC Desire. However, it force closed even before I got to importing a certificate, so there surely are some issues to fix before it is an alternative.

Cheers, Jonas

So now what... do we trust the FireFox solution? I mean the security risks are at stake here.

AFAICT mobile Firefox uses the same public code base as version 4 of desktop Firefox[1], so yes I would trust it about as much as I trust my desktop browser security-wise.

Cheers, Jonas

[1] http://www.mozilla.com/en-US/mobile/4.0b5/releasenotes/

I concur. Mozilla has a proven track record and their source is open and widely scrutinized. Firefox Mobile does use the same core code as desktop Firefox; only the UI is unique for the platform.

Maybe my original Motorola Droid is just showing its age, but my biggest problem with Firefox Mobile is that it's sluggish and slow. When the built-in browser is much faster and does almost everything I need (everything except client certificate authentication), it's hard to support an alternative that is so difficult to use. This, however, might make it worth keeping it installed. I'll have to experiment with it when I have a bit more time on my hands. I have other issues with Firefox Mobile (like its failure to adhere to certain common Android UI conventions), but most of those nit-picky and easily ignorable.

@Comment 53: I think I misread the original instructions, then. I took those paths to be in the device's internal storage, not the SD card, which means you'd have to use an ADB shell to gain access to the file system. If the key store is on the SD card, that makes it a lot easier to deal with. Still not quite accessible enough for widespread adoption, but better. Let's hope a built-in interface for managing certificates will be added before it leaves beta.

Personally, I'm not overly concerned about my private certs having a password. The sites I use client certs with have password authentication anyway, so the cert is primarily used to authenticate the device, not the user. If an attacker were to obtain my phone, they'd still need to crack my 30+ character password to gain access. Obviously, password-protecting the cert as well would be ideal, but it should be easy enough to work around this limitation in many cases. Sites that rely completely on certs for authentication will have problems with this, however.

@Comment 52, @Comment 53
Sorry for late response.
According to your projects in Google code...
http://code.google.com/p/cryptnos-for-android/
http://code.google.com/p/pydroid-proxy/
i will speak more technical about SandroB application
What i did with it, is change that ssl context in not initialized (initializeEngine()) in zygote but later
when first https connection is needed.I am attaching changed file.
It's not a big deal to get it work with harcoded client cert if you build android from sources...

Having webview/webkit/browser around that changed HttpsConnection is the hard part.
So i just reuse what is already in android sources and add GUI that takes filename/password to initializeEngine() function (suspended thread like one for handleSslErrorRequest()).
I will put some working example to sandrob source hosting site soon.

Yes. You can not trust anybody when it comes to SSL implementation.

I would rather answer any question on sandrob issues site than pollute this thread.

My company, which provides sys-ops and sys-admin services, has a number of clients interested in slate computing (IOS & Android platforms). The major concern is security and security granularity for NDA classified information.

Translation: time limited certificates at the document level - this issue applies to both Android and Google-docs.

It would seem to me that the "pull thru" of such a capability would be a greater legitimacy (a perception, to be sure) of Goggle products that would trickle down to less critical, and broader based, use.

Just adding to the list. Yes we would like to see the Android open to viewing more EV SSL security sites.

Is there any improvement in this issue...

@Comment 60: Based on Comment 47 above, I would guess *if* we see any movement on this, it will be tracked in Issue 36921330, which is a more generalized issue than this one. That said, as I mentioned in Comment 52, if we see any change in this at all, it will likely come in future versions of Android (i.e. 3.1 or higher) and will *NOT* be back-ported to earlier versions, as Google considers it new functionality rather than a bug. As with everything else in the mobile space, the mantra "Upgrade or die" seems to hold true. :/

Hi,

https://market.android.com/details?id=org.sandrob.sslexample

Good starting point to create app that uses SSL client certificates.
Feel free to change sources as you needed.

sandrob

There is another option. You can accomplish this in FireFox for android. Its not intuitive to get going but once it is setup it is easier that sandrob.

Check it out here: http://support.mozilla.com/mn/questions/786035#answer-142961.

Caveat is you have to install FireFox to SD card so you can see the correct files as I could not get to these files when they were installed to the main memory.

Same for us, we need this feature

Also this issue will be useful for the protection or security of a HLS streaming.

My phone doesn't support Mozilla Firefox. I really need this significant function for native browser.

instal app called sandrob from market. it's a default android browser
enhanced to support certificates.

I'm guessing the reason I get certificate failure messages is because webkit3.1 don't support certificates?  It is very annoying that every other page you visit tells you that the certificate is invalid.  I fell all this does is conditions us to ignore all certificate warning, thus making the whole certificate system useless.   How do you get these working on android?

As mentioned over at http://code.google.com/p/android/issues/detail?id=11231

The Android 4.0 release does include support for client certificate authentication in the browser. You can experiment with it with the Android 4.0 SDK.

If you need only https browsing you can use my firefox addon for android : https://addons.mozilla.org/en-US/mobile/addon/cert-manager/. It allows you to add a CA and user certificate.

I tried your addon for firefox on 3.1 android, it works fine. Thanks a lot!

This needs to be done

some new android devices do not include the native android browser (Droid Razr Maxx Hd). SandroB is no longer developed and niether is the firefox add-on. is there a way to get a native browser apk for my device?

exbro2000, I assume the Droid Razr Maxx Hd has Chrome. It is a known issue for them. I don't have a public issue handy, I think there is one in their tracker.

Support for this is good in IOS and Windows8 RT, i'll try with chrome as suggested, but why there is no good support as in windowsRT or Ios ?

cyril.drx, Chrome specifically won't work. only the regular Android Browser supports client certificates.

Browser Tech Support 1800 935 0537

Will we ever get paid for the millions of ads that just don't show up in our stats?  It's depressing that they lie on such an epic scale..