Android_interview github Address

Hello everyone , I am a Programmer Xu Gong , Plus internship , Five years of experience in large and medium-sized factories . Introduce yourself , Can follow my WeChat public number Programmer Xu Gong

  1. The official account is Xu Gong reply Dark horse , obtain Android Learning video
  2. The official account is Xu Gong reply Xu Gong 666, Get resume template , Teach you how to optimize your resume , Enter the big factory
  3. The official account is Xu Gong reply interview , Common interview algorithms can be obtained , The finger of the sword offer Answer key
  4. The official account is Xu Gong reply hibernate , You can get a horse soldier learning video

Preface

Twinkling of an eye ,2020 More than half a year has passed ,2020 Years are hard , There is a lot of news about layoffs in various enterprises , Demotion , No year-end bonus, etc .2020 It's been a tough year . But life always goes on , Time doesn't give you a chance to die ! If we can hold on , Keep improving yourself , There may be new opportunities .

During the interview , The Internet (http, https, tcp, udp), jvm, These basic knowledge points, such as class loading mechanism, appear frequently , Every programmer can say a lot . But not necessarily to the point , And understanding the underlying principles .

I am often asked in the process of interview , So the summary was recorded . Don't underestimate these foundations , occasionally , Your algorithm , Project experience is over , But the basic answer is not very good . The result may be through , But it will definitely affect your rating , This is a special loss . therefore , Why don't you take a moment to recite , Understand the principle behind it .

Let's take a simple example , https What is the connection process like , What kind of encryption is used , Can I grab a bag , How to prevent bag grabbing , Can you answer as follows .

I don't say much nonsense , Start to enter the text .

background

We know ,http Communication has the following problems :

  • Communication in clear text may be eavesdropped
  • Failure to verify the identity of the communicating party may encounter camouflage
  • The integrity of the message cannot be proved , It may have been tampered with

Use https It can solve the problem of data security , But you really understand https Do you ?

When the interviewer asks you questions about your soul , Can you answer like a stream

  1. What is? https, Why https
  2. https Connection process
  3. https What's the encryption method of , Symmetric and asymmetric encryption , Why is it designed like this ? Why use symmetric secrets for content transfer
  4. https Is it absolutely safe
  5. https Can I grab a bag

If you can answer freely , congratulations ,https You've almost mastered it , Enough for an interview .

What is? https

Simply speaking , https yes http + ssl, Yes http The communication content is encrypted , yes HTTP Security version , It's using TLS/SSL Encrypted HTTP agreement

Https The role of :

  1. Content encryption Set up an information security channel , To ensure the security of data transmission ;
  2. Identity Authentication Confirm the authenticity of the website
  3. Data integrity Prevent content from being impersonated or tampered with by third parties

What is? SSL

SSL from Netscape The company 1994 Created in , It aims to pass through Web Create safe Internet signal communication . It's a standard protocol , Used to encrypt communication between browser and server . It allows access Internet Transfer account password safely and easily 、 Bank card 、 Cell phone number and other private information .

SSL A certificate is to abide by SSL agreement , By trusted CA A digital certificate issued by an organization .

SSL/TLS How it works :

You need to understand SSL/TLS How it works , We need to master the encryption algorithm . There are two encryption algorithms : Symmetric and asymmetric encryption :

Symmetric encryption : Both sides of the communication use the same key to encrypt . It is characterized by fast encryption , But the disadvantage is that you need to protect the key , If the key is compromised , Then the encryption will be encrypted by someone else pojie. Common symmetric encryptions are AES,DES Algorithm .

Asymmetric encryption : It needs to generate two keys : Public key (Public Key) And a private key (Private Key).

The public key, as the name suggests, is public , Anyone can get , And the private key is private . I believe most programmers are familiar with this algorithm : We submit the code to github When , You can use SSH key: Generate the private key and public key locally , The private key is local .ssh Directory , Public key in github On the website , So every time you submit the code , Don't bother to enter the user name and password ,github Will identify us according to the public key stored on the website .

The public key is responsible for encryption , The private key is responsible for decrypting ; perhaps , The private key is responsible for encryption , The public key is responsible for decryption . This encryption algorithm is more secure , But the amount of computation is much larger than symmetric encryption , Encryption and decryption are slow . Common asymmetric algorithms are RSA.

https Connection process

https The process of connecting is roughly divided into two stages , Certificate verification phase and data transmission phase

Certificate validation phase

It's roughly divided into three steps

  1. Browser requests
  2. After the server receives the request , Will return the certificate , Including public key
  3. After the browser receives the certificate , Will check if the certificate is legal , If it's illegal , The alarm will pop up ( How to verify legal , The following is a detailed analysis , So let's ignore that )

Data transmission phase

After the certificate is verified to be legal

  1. The browser will generate a random number ,
  2. Use public key for encryption , Send it to the server
  3. The server received a value from the browser , Decrypt with private key
  4. After successful parsing , Use symmetric encryption algorithm to encrypt , Transfer to client

Then the two sides communicate with each other using the random number generated in the first step for encrypted communication .

https What's the encryption method of , Symmetric and asymmetric encryption , Why is it designed like this

From above we can know ,https Encryption is a combination of symmetric encryption and asymmetric secrecy .

In the certificate verification phase , Use asymmetric encryption .

In the data transmission phase , Use symmetric secrets .

This design has one advantage , To maximize safety and efficiency .

In the certificate verification phase , Use asymmetric encryption , You need a public key and a private key , If the browser's public key leaks , We can still ensure the security of random numbers , Because encrypted data can only be decrypted with the private key . This can ensure the security of random number to the greatest extent .

In the content transfer phase , Use symmetric secrets , Can greatly improve the efficiency of encryption and decryption .

Why use symmetric secrets for content transfer

  1. Symmetric encryption is more efficient
  2. A pair of public and private keys can only realize one-way encryption and decryption . Only the server keeps the private key . If you use asymmetric secrets , The client must have its own private key , If you design it this way , Each client has its own private key , This is obviously unreasonable , Because the private key needs to be applied for .

https Is it absolutely safe

It's not absolutely safe , You can attack through a man in the middle .

What is man in the middle attack

Man in the middle attack refers to the attacker and the two ends of the communication respectively create independent contact , And exchange the data they receive , Make both sides of the communication think they are talking directly to each other through a private connection , But in fact, the whole session is completely controlled by the attacker .

HTTPS Used SSL Cryptographic protocol , It's a very secure mechanism , There is no way to attack the protocol directly , It's usually about building SSL When the connection , Intercept client requests , Use the middleman to get CA certificate 、 Asymmetric public key encryption 、 Symmetric encryption key ; With these conditions , You can intercept and tamper with requests and responses .

Process principle :

  1. Local request hijacked ( Such as DNS Hijack, etc ), All requests are sent to the broker's server
  2. The broker server returns the broker's own certificate
  3. Client creates random number , The random number is encrypted by the public key of the intermediary certificate and then sent to the intermediary , Then construct symmetric encryption with random number to encrypt the transmission content
  4. Middleman because of the random number of clients , The content can be decrypted by symmetric encryption algorithm
  5. The middleman sends the request to the official website with the request content of the client
  6. Because the communication process between the middleman and the server is legal , The official website returns encrypted data through the established secure channel
  7. The middleman decrypts the content with the symmetric encryption algorithm established with the official website
  8. The middleman encrypts the data returned by the official content through the symmetric encryption algorithm established with the client
  9. The client decrypts the returned data through the symmetric encryption algorithm established with the middleman

Due to the lack of verification of certificates , So although the client initiated HTTPS request , But the client has no idea that his network has been blocked , The transmission content is stolen by the middleman .

https How to prevent man in the middle attack

stay https You need a certificate in , The purpose of a certificate is to prevent " Man-in-the-middle attack " Of . If there's a middleman M Intercept client requests , then M Provide your own public key to the client ,M Then request the public key from the server , As " Intermediary " In this way, the client and server do not know , The information has been intercepted . At this time, we need to prove that the public key of the server is correct .

How to prove ?

We need an authoritative third party to be fair . This third party organization is CA. in other words CA It's dedicated to public key authentication , To guarantee , That is, the guarantee company that guarantees the public key . World famous CA It's just 100 Multiple , these CA It's all globally recognized , such as VeriSign、GlobalSign etc. , Well known in China CA Yes WoSign.

There's something wrong with the above , The correct answer is as follows

https There's no way to prevent man in the middle attacks , Only do certificate fixation ssl-pinning perhaps apk Self signature verification with pre-set certificate can prevent man in the middle attack . See this article for details .

Android in Https Ask how to prevent man in the middle attacks and Charles Principle of bag grabbing

How does the browser ensure that CA The validity of the certificate ?

One 、 What information does the certificate contain ?

Issuing authority information 、 Public key 、 Company information 、 domain name 、 The period of validity 、 The fingerprint ......

Two 、 What is the basis of the validity of the certificate ?

First , The authority has to be certified , Not every institution is qualified to issue certificates , Otherwise, it's not an authority . in addition , The credibility of a certificate is based on trust , The authority needs to endorse the certificate issued by it , As long as it's a certificate generated by an authority , We think it's legal . So the authority will review the applicant's information , Different levels of authority have different requirements for audit , So the certificate is divided into free 、 Cheap and expensive .

3、 ... and 、 How do browsers verify the validity of certificates ?

Browser initiation HTTPS When asked , The server will return to the website SSL certificate , The browser needs to verify the certificate as follows :

  1. Verify domain name 、 Whether the validity period and other information are correct . The certificate contains this information , It's easier to verify ;
  2. Determine whether the source of the certificate is legal . Each certificate can be checked according to the verification chain to find the corresponding root certificate , operating system 、 The browser will store the root certificate of the authority locally , Local root certificate can be used to issue certificates to corresponding organizations to complete source verification ;
  3. Judge whether the certificate has been tampered with . Need and CA The server does the check ;
  4. Determine if the certificate has been revoked . adopt CRL(Certificate Revocation List Certificate cancellation list ) and OCSP(Online Certificate Status Protocol Online Certificate Status Protocol ) Realization , among OCSP It can be used in 3 Step in to reduce with CA Server interaction , Improve verification efficiency .

Only when any of the above steps are satisfied can the browser consider the certificate legal .

https Can I grab a bag

HTTPS The data is encrypted , In general, the package content caught by the agent of the packet capturing tool after request is the encrypted state , Unable to view directly .

however , We can grab bags through the bag grabbing tool . Its principle is to simulate a middleman .

Usually HTTPS The way to use the package grabbing tool is to generate a certificate , The user needs to manually install the certificate into the client , Then all requests initiated by the terminal complete the interaction with the packet capturing tool through the certificate , Then the packet capturing tool forwards the request to the server , Finally, the results returned by the server are output by the console and then returned to the terminal , To complete the whole request closed loop .

About httpps The principle of packet capture can be seen in this article .

Android platform HTTPS Solution and problem analysis of grab bag

Someone might ask , since HTTPS Can't prevent catching bags , that HTTPS What's the point ?

HTTPS It can prevent the communication link from being monitored without the user's knowledge , There is no protection for the operation of capturing the package of active credit , Because users of this scenario are already aware of the risks . To prevent being caught , Application level safety protection is required , For example, using private symmetric encryption , At the same time, do a good job of anti decompilation and reinforcement of mobile terminal , Prevent local algorithms from being pojie.

Expand

How to prevent bag grabbing ?

about HTTPS API Interface , How to prevent bag grabbing ? Since the problem is certificate trust , So the solution is in our APP Certificate is preset in . stay TLS/SSL When shaking hands , Use the public key preset in the local certificate to verify the digital signature of the server , Only by signing can we shake hands successfully . Since the digital signature is generated using the private key , And the private key is only in our hands , Middleman cannot forge a valid signature , So the attack failed , Can't grab bag .

meanwhile , To prevent the preset certificate from being replaced , On the certificate store , You can encrypt the certificate 「 Embedded storage 」, Such as embedded in a picture or a voice . This involves the field of Information Steganography , We have time to talk about this topic in detail .

About Android in Https Ask how to prevent man in the middle attacks and Charles Grab the bag , Take a look at this article .

Android in Https Ask how to prevent man in the middle attacks and Charles Principle of bag grabbing

Preset Certificate / Public key update problem

Although this solves the problem of bag grabbing , But there's another problem : All the certificates we buy are valid , The certificate needs to be updated before it expires . There are two main ways :

Provide preset certificate update interface . When the current certificate is about to expire ,APP Request a new preset Certificate , This is a transitional period , Both certificates are valid at the same time , Until the certificate switch is completed safely . There is a certain maintenance cost in this way , And it's not easy to test .

stay APP Only the public key is embedded in , So as long as the private key doesn't change , Even if the certificate is updated, the public key does not need to be updated . however , This does not meet the security audit requirements of periodically updating the private key . A compromise is , Preset multiple public keys at one time , As long as any public key is verified . Considering that the general purchase cycle of our certificates is 3-5 year , that 3 Public key , have access to 9-15 year , meanwhile , We can also release new versions during this period , Add a new public key , This allows the public key to be updated all the time .


Summary

The first few questions , Can you answer like a stream

  1. What is? https, Why https
  2. https Connection process
  3. https What's the encryption method of , Symmetric and asymmetric encryption , Why is it designed like this ? Why use symmetric secrets for content transfer
  4. https Is it absolutely safe
  5. https Can I grab a bag

Recently github It's updated with a warehouse , It's mainly about interview materials , If you are interested, please pay attention to .Android_interview

Recommended reading articles

Android Startup optimization ( One ) - Directed acyclic graph

Android Startup optimization ( 6、 ... and )- Deep understanding of layout optimization

my 5 year Android Way of learning , The pits we stepped on together in those years

How to write a good resume for a programmer , a 5 In the middle of the year, I want to talk with you

Ali nail , Tiktok Android Face to face sharing

https Is it really safe , Can I grab a bag , How to prevent packet grabbing

  1. https Is it really safe , Encrypted login is not simple

    Sign in , Is to do web Development of programmers to do the first project to contact the module , Seemingly simple login covers all aspects of programming knowledge . Is it safe to log in ? Will the password be leaked ? The age of plaintext transmission When the Internet started , Login does use clear text verification , Even data sources ...

  2. iOS The use of security attack and defense Charles Network data packet capture and Paros Network packet capture

    Charles yes Mac Common network packet capture tools under the system (Paros Pretty good also ),windows Commonly used fiddler. Genuine Charles Is the charge (PS: Support genuine ), The Chinese people prefer the cracked version Char ...

  3. [ turn ] How to use Fiddler Grab the data package of the specified browser

    Reference material :https://www.cnblogs.com/lauren1003/p/6519630.html Use fiddler A common solution when you can't grab the browser's package : 1. You have to open it first Fiddler, Again, ...

  4. Android utilize tcpdump Grab the bag , use wireshark Analysis package .

    1. Preface Mainly introduced in android How to use it on mobile phones tcpdump Grab the bag , use wireshark Analysis package . android tcpdump Official website : http://www.androidtcpdump.com/ t ...

  5. 2019-9-20: Penetration test , Based on learning ,phpstudy build Wordpress,Burpsuite Grab WorePress cms Of post package

    One . build WordPress Of cms Website management system 1, download Wordpress cms Source code , Download address :https://wordpress.org/download/ 2, Extract the source code to phpstudy Under the table of contents ...

  6. Fiddler Grab Android Mobile network packets

    Maybe you have questions too , If the development does not have a complete interface document , How do I know about him API Information about ? At this time, we have to grab these through some bag grabbing tools API Information . Common bag grabbing tools HTTP Caught tools :Fiddler.Charles.Firebug ...

  7. 【 Electronic forensics : Catching a bag 】Fiddler Packet capture configuration and data analysis ( Jane )

    Fiddler Packet capture configuration and analysis ( Jane ) A brief introduction Fiddler Basic knowledge often used in packet capture , After reading it, you can understand how to analyze packet capture data ---[suy999]   Fiddler Caught tools , The number of network transmissions that can be sent and received ...

  8. Use charles proxy for Mac To grab the phone App The network packet

    Before Web When the project is , Often use Fiddler(Windows Next ).Charles Proxy(Mac Next ) Grab the bag , Debug something : Now Android App Development , Sometimes we need to analyze mobile phones App Network request for ...

  9. About changing your cell phone , That led to the original connection fiddler The solution to not being able to grab the bag on the new phone

    It turns out that our tests are all an Android machine , a ios machine , Because the machine is not enough , So Android phones are all their own phones , You can connect to the intranet , You can also connect to the Internet But in recent days , I don't know what happened to the company . Limit the net , Only the company's testing machine , In order to connect to the intranet test , As a result, I ...

  10. Caught tools :tcpdump Detailed explanation of packet capture command

    Caught tools :tcpdump Detailed explanation of packet capture command brief introduction : tcpdump Full name :dump the traffic on a network, A packet analysis tool that intercepts packets on the network according to the user's definition . tcpdump Sure ...

Random recommendation

  1. Entity Framework Use Mysql Configuration file for

    <?xml version="1.0" encoding="utf-8"?> <configuration> <configSec ...

  2. Remember a simple protection if Of sh Script

    It's really a pit Dad , Just below sh, I wrote for a long time ! if [ `pwd` != '/usr/xx/bin/tomcat' ] then echo "rstall is not allowed in c ...

  3. Httpclient Request data (post)

    public static String loginCheck_POST_HttpClient(String name,String pass,String url){ String result = ...

  4. android Open source databases are used in the project litepal

    Download address https://github.com/LitePalFramework/LitePal Reference documents http://blog.csdn.net/guolin_blog/article/detai ...

  5. Twenty-two 、OGNL Some other operations of

    Twenty-two .OGNL Some other operations of Projection ? Judge whether the conditions are met Action class code : ^ $   public class Demo2Action extends ActionSupport {     public ...

  6. C# TcpListener Key points of programming

    using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.Ne ...

  7. Selenium2Library+ride Learning notes

    One . The deployment environment 1. install python2.7 Compile environment .ride The environment and Selenium2Library Environmental Science , See the previous sections for environment deployment . 2. start-up RIDE Compile environment , Import Selenium2Library library .   ...

  8. MyBatis Source code interpretation (3)——MapperMethod

    In the first two articles MyBatis Source code interpretation , We followed all the way to MapperProxy, I see. Although we use dynamic proxy technology, we can use interface methods directly . To consolidate and deepen the dynamic agent , Let's recall what dynamic proxy is again . I believe in ...

  9. How to improve windows Efficiency of use ?-- Use the run command skillfully

    windows The operating system can use win+R Run some commands to perform tasks , The advantage is : Efficient . Fast . accuracy . Start the program Put the program chrome Write to the following registry , SOFTWARE\Microsoft\Windows ...

  10. VC6 To VC2010, Project migration error

    error message : error C2440: “static_cast”: cannot from “BOOL (__thiscall CSelectRect::* )(void)” to “BOOL (__ ...