Through some reading, I have a fairly rough understanding about how https works with Android apps, especially how are certificate validations done. Some of the resources that I referred to for gaining this understanding would be :
Validating certs in Android
SSL in Android apps
Validating SSL - Android
As per my understanding, I could roughly say that apps can validate against :
- The default Trust Store that Android provides - which has a list of all the CA certificates that are by default trusted by the OS and hence by the browser and the app itself. This is the same list of CAs that can also be seen in Settings -> Security -> Trusted credentials (in JB+) or system/etc/security/cacerts.bks (in Android < JB)
- Developers can choose to define their own custom keystores and make an SSLSocketFactory with them to trust their custom trust store.
My question revolves around the first case described above. In most of the places that I could read about it, I discovered it mentioned that for validating the certificates against the default Trust Store, the developer does not really need to do anything explicitly. Just hit the https end point and play on with the HttpsUrlConnection object returned.
The certificate validation itself is internally (by default) taken care of by Android OS.
Now I would like to know how exactly is the above (highlighted) done ? What is the API/internal method/anything else that Android actually calls to do this certificate validation ? Where can I find this information ? One approach I can think of is to go through the Android source itself, but I have no clue which part of the code does it (and plus it would be a lot of efforts).