I think I expressed myself poorly, the certificate is not ignored in the implementation, only the verification of validity will be ignored. All trasações still being with encryption SSL or TLS
SSL or TLS is nearly useless without validation checks. This would be a severe security flaw, please don’t use that! Just imagine that some of your people use a free WiFi to connect to your server. The WiFi admins can do a MITM attack with one click and all .gov.br data would belong to them.
To see which severy security problems are caused by not validating certificates, please read http://www.search-lab.hu/about-us/news/109-security-vulnerability-in-lg-s-update-center-application (for instance).
DAVdroid would rather need a good certificate pinning option, but ignoring the certificate is not a possible option.
Thanks for your suggestion. This was discussed extensively in #3, please see there. Summary:
Implementing a private certificate storage for DAVdroid is non-trivial and many things would have to be implemented, for example: GUI and functionality for importing a certificate, GUI and functionality for viewing installed certificates, GUI and functionality for removing installed certificates, integration with the multi-threading HttpClient library connection pool.
All these things would be redundant and – while theoretically nice to have – are less important than all the other missing features, and our time resources are limited.
Pull requests and existing solutions we have found are not satisfactory and don’t implement all the things metioned in (1).
The code from Owncloud you mention seems to be the GUI for importing a certificate. The “real code” is in com.owncloud.android.lib.common.network.NetworkUtils. Also, I don’t think they’re using a multi-threaded pool with HttpClient library and I also wonder whether there are options for viewing and removing already accepted certificates (crucial after Heartbleed, for example).
We have created CAdroid to allow users importing their self-signed certificates into the Android storage more easily.
So, thanks again for your suggestion, but at the moment, there’s nothing to be added from our side.