Participants
Mathieu Pellerin
Mathieu Pellerin
Daniel Gustafsson
Daniel Gustafsson
Attachments
Show all attachments
Thread Outline
#1Mathieu PellerinMathieu Pellerin
Sep 19, 2025
#2Daniel GustafssonDaniel Gustafssonto Mathieu Pellerin (#1)
Sep 19, 2025
#3Mathieu PellerinMathieu Pellerinto Daniel Gustafsson (#2)
Oct 05, 2025

Client/server certificates verification support on Android platform

Started by Mathieu Pellerin7 months ago3 messagesgeneral
Jump to latest
#1Mathieu Pellerin
Mathieu Pellerin
mathieu@opengis.ch

Greetings,

I’m writing with regards to client/server certificates verification support
on Android platform, where storage access is increasingly limited and often
happens through a dedicated system user that differs from the user that
runs applications.

A bit of background: we develop QField, an open source spatial and
surveying application built on top of QGIS focused on mobile devices. While
we support multiple platforms these days, our largest bank of users are on
our original supported platform, namely Android with over 1 million play
store installations.

On that platform, we have long supported the possibility of defining
PostgreSQL connections via a pg_service.conf file users can drop within the
application’s data directory (e.g. <storage
root>/Android/data/ch.opengis.qfield/files) via a USB cable transfer.
However, when users want to define a service that utilizes certificates to
authentication users (
https://www.postgresql.org/docs/17/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT),
they will hit a permission blockage whereas the owner of the copied file
will often not be the user running the application. This also makes it
virtually impossible to manually tweak the file permission to match the
current u=rw (0600) requirement.

To work around this issue, we have come up with some code which copies the
certificate copied onto the device by the user to another location, where
we then set the file ownership to the current user running the application
and limit the permission to match the requirement (
https://github.com/opengisch/QField/blob/4c7bb7feec00af3bd7e52a522c40a2cd62af69e6/src/app/main.cpp#L294-L305
).

While this leads to successful authentication, we were wondering whether
any thoughts were given by the PostgreSQL community on the possibility to
allow for more relaxed permission conditions through whitelisting specific
location or via environment variables for platforms such as Android where
permission management is not a straightforward as on Linux systems.

For example, in the documentation page linked above, it mentions that
permissions check is not conducted on Windows as the %APPDATA%\postgresql
is presumed secure. That matches relevant code logic which disables
permission check altogether for the windows platform (e.g
https://github.com/postgres/postgres/blob/1546e17f9d067e714e066fcdd57d5f56c14f4174/src/backend/libpq/be-secure-common.c#L154-L174,
and
https://github.com/postgres/postgres/blob/1546e17f9d067e714e066fcdd57d5f56c14f4174/src/interfaces/libpq/fe-secure-openssl.c#L1260-L1270
)

Would it make sense for other operating systems beyond Windows to also have
relaxed permissions within specific application-specific folders? On
Android, the application’s data directory would certainly match a similar
set of secure assumptions as the OS restricts its access.

Alternatively, if others on this mailing list have had experience dealing
with client / server certificate authentication of services on Android and
have best practices to share, we’d be more than happy to read those :)

Regards,

Mathieu Pellerin

QField project owner

OPENGIS.ch

--
[image: OG]
<https://link.bulksignature.com/4054a10b-3c19-46a2-9e27-813335d7dbdc&gt;

*Mathieu Pellerin*
Mr. Ordinato

QField Product Owner | UX/UI Expert
Team QField
[image: email]
mathieu@opengis.ch

[image: www]
https://opengis.ch

[image: linkedin] <https://www.linkedin.com/company/opengisch/&gt; [image:
mastodon] <https://fosstodon.org/@opengisch&gt; [image: github]
<https://github.com/opengisch/&gt;

#2Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Mathieu Pellerin (#1)
Re: Client/server certificates verification support on Android platform

On 19 Sep 2025, at 12:18, Mathieu Pellerin <mathieu@opengis.ch> wrote:

Would it make sense for other operating systems beyond Windows to also have relaxed permissions within specific application-specific folders? On Android, the application’s data directory would certainly match a similar set of secure assumptions as the OS restricts its access.

FWIW, I am not a fan of the presumed-safe approach to filesystem locations, and
even less so of relaxed permissions via configuration.

One thing which has been discussed is to add support for vaults, like macOS
keychain etc, as an alternative to filesystem acceess. Are there any such
capabilities on Android which could be relied upon?

--
Daniel Gustafsson

#3Mathieu Pellerin
Mathieu Pellerin
mathieu@opengis.ch
In reply to: Daniel Gustafsson (#2)
Re: Client/server certificates verification support on Android platform

Thanks for the response Daniel.

AFAIK, Android has a KeyCert API, however this doesn't let you extract
private keys as such and only to perform certain cryptographic operations
on it. Guessing a bit here, this likely means that we would need to provide
an openssl engine (via libpq?) that implements certain openssl callbacks
and connects them through JNI to the android KeyCert API. This is a rather
complex integration to begin with, and one I wouldn’t blame libpq to not be
interested in.

I also can’t see the method suggested above to be super friendly to
services defined via pg_service.conf across multiple OSes; the filesystem
access for that is quite useful.

While presumed-safe locations are not bulletproof, they do have their uses
on Windows, and would definitively ease things when using libpq on Android.
When it comes to the actual use case described in this thread, I’d rather
rely on a clearly established and documented presumed-safe location logic
than doing the workaround I linked above. Both ultimately get us a workable
connection.

On Fri, Sep 19, 2025 at 5:44 PM Daniel Gustafsson <daniel@yesql.se> wrote:

On 19 Sep 2025, at 12:18, Mathieu Pellerin <mathieu@opengis.ch> wrote:

Would it make sense for other operating systems beyond Windows to also

have relaxed permissions within specific application-specific folders? On
Android, the application’s data directory would certainly match a similar
set of secure assumptions as the OS restricts its access.

FWIW, I am not a fan of the presumed-safe approach to filesystem
locations, and
even less so of relaxed permissions via configuration.

One thing which has been discussed is to add support for vaults, like macOS
keychain etc, as an alternative to filesystem acceess. Are there any such
capabilities on Android which could be relied upon?

--
Daniel Gustafsson

--
[image: OG]
<https://link.bulksignature.com/4054a10b-3c19-46a2-9e27-813335d7dbdc&gt;

*Mathieu Pellerin*
Mr. Ordinato

QField Product Owner | UX/UI Expert
Team QField
[image: email]
mathieu@opengis.ch

[image: www]
https://opengis.ch

[image: linkedin] <https://www.linkedin.com/company/opengisch/&gt; [image:
mastodon] <https://fosstodon.org/@opengisch&gt; [image: github]
<https://github.com/opengisch/&gt;

← Back to Topics