I have an app that needs to access an API securely using SSL/TLS. I am aware that TLS 1.2 is not currently supported by Unity, but I must support at least TLS 1.0 as a stop-gap measure. This app is cross-platform Android/iOS.
I would prefer to use Unity’s builtin [UnityWebRequest](https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest.html) class to handle this, but from what I’ve read certificates are currently not validated correctly (i.e. all certificates are always deemed valid without properly checking). Is this still the case?
I have had some success using the .NET HttpWebRequest class, but cannot get this to work on Android (only windows). The problem seems to be; Mono does not use the CA certificates from the device OS - it maintains its own, separate certificate store. On Desktop platforms, we can download the required certificates using the method here.
However I cannot find a method of getting them into the Mono Trust store on an Android device. Attempting to add a certificate at runtime using X509Certificate2/X509Storeas detailed here throws an error “Access to the path “./config” is denied.” How to I fill the Mono trust store with the correct certificates, or make my app use the device OS trust store?
tldr: What is the correct way of doing secure web requests in Unity Android, ideally with TLS.
This was never the case on Android. True in Editor, Standalone, but not Android.
On Android UnityWebRequest uses devices certificate store and does support SSL/TLS as much as Andaroid SDK does support it.
Are there plans to support certificate validation fully in Standalone builds? I’m guessing the difficulty with this is that you will be required to use the native certificate system on each standalone platform for each OS version.
As I understand it, TLS 1.2 support is not currently there, but is scheduled for Unity 2018.2
Turns out that Android was using the correct (OS) certificate store, but I needed to perform some custom certificate checking rather than rely on the default - so no need to ‘manually’ add certificates to the Android certificate store.
I was able to setup my project to make TLS 1.2 requests via the .NET HttpWebRequest class using the following steps (posted here for posterity - will be obsolete when Unity 2018.2 is released)
Switch your project to use the .NET 4.6 scripting runtime (Player Settings → Other → Scripting Runtime Version)
Run “mozroots.exe --import --sync” to download the root CA certificates into your mono trust store if required. On windows this is found at <unity_dir>\Editor\Data\MonoBleedingEdge\lib\mono\4.5\mozroots.exe
I’ve just wrote a simple test app and I can confirm that both (UnityWebRequest and .NET 4.6 HttpWebRequest, when following the steps above) work on Android, iOS and Standalone builds (HttpWebRequest with TLS1.2). I got compile errors when loading the project in the OSX editor, but I was able to build the iOS XCode project on a windows machine and deploy via the mac with no problems.