android ordering system! Only you don’t know these high-end technologies of Android, the technology is introduced in detail

beginning

Whether you are a college student or a professional, this article is suitable for you
with the skills that a senior architect must master at the end of the article.

1. We face serious challenges every day of our lives

Although it seems that we are all doing our own things and everything is proceeding smoothly, but in fact it is not the case. Every one of us or ourselves is full of "crisis". The crisis mentioned here refers to your own value. Substitutability.

No matter what you do, your irreplaceability is the most important. So how to explain this? Think carefully, it's not difficult.
From a technical point of view,
your personal technical depth is very dominant in the early stages of your career . If you can achieve outstanding skills in the first 3 years and have a deeper level of attainments than your peers, then you are very good. Those with advantages can bring you many advantages and resources by virtue of this.

On the contrary, if you do not occupy the upper position, then the challenge you face will be much greater, which will pose a big challenge to your subsequent development space.

background

We know that http communication has the following problems:

• Communication using plaintext may be eavesdropped
• Failure to verify the identity of the communicating party may encounter masquerading
• Unable to prove the integrity of the message, it may have been tampered with

Using https can solve data security issues, but do you really understand https?

When the interviewer continuously asks you the soul, can you answer it like a stream?

1. What is https and why do you need https
2. https connection process
3. What is the encryption method of https, symmetric encryption and asymmetric encryption, and why is it designed like this? Why use symmetric secrets for content transmission
4. Is https absolutely secure
5. Can https can capture packets

If you can answer freely, congratulations, you have almost mastered https, enough for the interview.

What is https

Simply put, https is http + ssl, which encrypts the content of http communication, is the secure version of HTTP, and is the HTTP protocol encrypted with TLS/SSL

The role of Https:

1. Content encryption establishes an information security channel to ensure the security of data transmission;
2. Identity verification confirms the authenticity of the website
3. Data integrity prevents content from being impersonated or tampered with by third parties

What is SSL

SSL was created by Netscape Corporation in 1994. It aims to create secure Internet communications through the Web. It is a standard protocol used to encrypt the communication between the browser and the server. It allows secure and easy transmission of private information such as account passwords, bank cards, and mobile phone numbers via the Internet.

An SSL certificate is a digital certificate issued by a trusted CA organization that complies with the SSL protocol.

How SSL/TLS works:

Need to understand the working principle of SSL/TLS, we need to master the encryption algorithm. There are two encryption algorithms: symmetric encryption and asymmetric encryption:

Symmetric encryption : Both parties use the same key for encryption. The characteristic is that the encryption speed is fast, but the disadvantage is that the key needs to be protected. If the key is leaked, then the encryption will be pojie by others. Common symmetric encryption has AES and DES algorithms.

Asymmetric encryption : It needs to generate two keys: Public Key and Private Key.

As the name implies, the public key is public and anyone can obtain it, while the private key is kept privately. I believe that most programmers are already familiar with this algorithm: when we submit the code to github, we can use SSH key: generate private and public keys locally, store the private key in the local .ssh directory, and store the public key On the github website, every time you submit the code, you don’t have to enter the user name and password, and github will identify us based on the public key stored on the website.

The public key is responsible for encryption and the private key is responsible for decryption; or, the private key is responsible for encryption and the public key is responsible for decryption. This encryption algorithm is more secure, but the amount of calculation is much larger than that of symmetric encryption, and encryption and decryption are very slow. A common asymmetric algorithm is RSA.

https connection process

The https connection process is roughly divided into two stages, the certificate verification stage and the data transmission stage

Certificate verification phase

Roughly divided into three steps

1. Browser initiates a request
2. After the server receives the request, it will return the certificate, including the public key
3. After the browser receives the certificate, it will check whether the certificate is legal. If it is illegal, an alert will pop up (how to verify the legality, I will analyze it in detail below, and ignore it here)

Data transmission stage

After the certificate is legal

1. The browser will generate a random number,
2. Use the public key to encrypt and send to the server
3. The server receives the value sent by the browser and uses the private key to decrypt it
4. After the analysis is successful, use a symmetric encryption algorithm to encrypt and transmit to the client

After the two parties communicate, the random number generated in the first step is used for encrypted communication.

What is the encryption method of https, symmetric encryption and asymmetric encryption, and why is it designed like this?

From the above we can know that https encryption is a combination of symmetric encryption and asymmetric secrets.

In the certificate verification phase, asymmetric encryption is used. In the data transmission phase, symmetric secrets are used.

This design has an advantage, which can maximize safety and efficiency.

In the certificate verification phase, using asymmetric encryption requires a public key and a private key. If the browser’s public key is leaked, we can still ensure the security of the random number, because the encrypted data can only be decrypted with the private key. In this way, the security of random numbers can be ensured to the greatest extent.

In the content transmission stage, the use of symmetric secrets can greatly improve the efficiency of encryption and decryption.

Why use symmetric secrets for content transmission

1. Symmetric encryption efficiency is relatively high
2. A pair of public and private keys can only realize one-way encryption and decryption. Only the server saves the private key. If an asymmetric secret is used, it is equivalent to that the client must have its own private key. With this design, each client has its own private key. This is obviously unreasonable because the private key needs to be applied for.

Is https absolutely secure

It is not absolutely safe and can be attacked through man-in-the-middle.

What is a man-in-the-middle attack

A man-in-the-middle attack means that the attacker creates independent connections with both ends of the communication and exchanges the data they receive, so that both ends of the communication think that they are talking directly with each other through a private connection, but in fact the entire conversation is Be completely controlled by the attacker.

HTTPS uses the SSL encryption protocol, which is a very secure mechanism. At present, there is no way to directly attack this protocol. Generally, when an SSL connection is established, the client's request is intercepted, and the middleman is used to obtain the CA certificate and asymmetric encryption. The public key for symmetric encryption and the key for symmetric encryption; with these conditions, the request and response can be intercepted and tampered with.

Process principle:

1. Local requests are hijacked (such as DNS hijacking, etc.), and all requests are sent to the middleman's server
2. The middleman server returns the middleman's own certificate
3. The client creates a random number, encrypts the random number with the public key of the middleman certificate, and transmits it to the middleman, and then uses the random number to construct symmetric encryption to encrypt the transmission content.
4. Because the middleman has the client's random number, it can decrypt the content through a symmetric encryption algorithm
5. The intermediary initiates a request to the official website with the request content of the client
6. Because the communication process between the middleman and the server is legal, the official website returns the encrypted data through the established secure channel
7. The middleman uses the symmetric encryption algorithm established with the official website to decrypt the content
8. The middleman encrypts and transmits the data returned by the official content through the symmetric encryption algorithm established with the client
9. The client decrypts the returned result data through the symmetric encryption algorithm established with the middleman

Due to the lack of certificate verification, although the client initiates an HTTPS request, the client does not know that its network has been intercepted, and the transmission content is completely stolen by the middleman.

How does https prevent man-in-the-middle attacks

A certificate is required in https. The function of the certificate is to prevent "man-in-the-middle attacks". If there is an intermediary M that intercepts the client request, then M provides its own public key to the client, and M requests the public key from the server, acting as an "intermediary" so that the client and the server do not know, and the information has been intercepted. Up. At this time, it is necessary to prove that the public key of the server is correct.

How to prove it?

An authoritative third-party organization is needed to be fair. This third-party organization is CA. That is to say, CA is a guarantee company that specializes in certifying and guaranteeing public keys. There are more than 100 well-known CAs in the world. These CAs are recognized globally, such as VeriSign, GlobalSign, etc. The well-known domestic CAs include WoSign.

How does the browser ensure the legitimacy of the CA certificate?

1. What information does the certificate contain?

Issuing agency information, public key, company information, domain name, validity period, fingerprint...

2. What is the basis for the legality of the certificate?

First of all, an authority must have certification. Not just any organization is qualified to issue certificates, otherwise it is not called an authority. In addition, the credibility of the certificate is based on the trust system, and the authority needs to endorse the certificate issued by it. As long as it is a certificate generated by an authority, we consider it legal. Therefore, the authority will review the applicant's information. Different levels of authority have different requirements for review, so the certificates are also divided into free, cheap and expensive.

3. How does the browser verify the validity of the certificate?

When the browser initiates an HTTPS request, the server will return the SSL certificate of the website, and the browser needs to verify the certificate as follows:

1. Verify that the domain name, validity period and other information are correct. This information is included in the certificate, so it is easier to complete the verification;
2. Determine whether the source of the certificate is legal. For each issued certificate, the corresponding root certificate can be found according to the verification chain. The operating system and browser will store the root certificate of the authority locally, and the local root certificate can be used to verify the source of the certificate issued by the corresponding organization;
3. Determine whether the certificate has been tampered with. Need to check with CA server;
4. Determine whether the certificate has been revoked. It is implemented through CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol). OCSP can be used in step 3 to reduce interaction with the CA server and improve verification efficiency.

The browser considers the certificate to be legal only when any of the above steps are met.

At last

The preferred method of introducting resumes is fast and efficient! Then you can look at it on the hook, boss, Maimai, and street. It is stated on the resume that if you are familiar with any technology, you must be familiar with it, otherwise it will not be very embarrassing to be asked! What project you have done, even if the project volume is not large, you must be familiar with the realization principle! If you are not responsible for the part, you can also see how your colleague achieves it. What would you do if you do it for you? What has been done and what will be the breadth issue depends on the content of the project. But what has been done and what state has been reached is a matter of depth, which has to do with personal learning ability and problem-solving attitude. Large companies look at depth, small companies look at breadth. You will be able to interview for large companies, and will you use what they interview for small companies, that is, job matching.

The interview process must be polite! Even if you feel that the interviewer does not respect you and often interrupts your explanation, or you feel that he is inferior to you and the questions asked lack professionalism, you must also respect him. Who told him to choose you now and wait for you to get the offer Then you choose him.

In addition, it must be slow to describe the problem! Don't talk about it all at once. It seems that you are calm and confident, and you still have time to react to your ideas on how to say better next. Nowadays, there are too many developments that rely on IDEs, so there will be a drawback. When we explain in an interview, it is easy to not know how to read a certain method. This is a flaw... So we must deal with common key class names, method names, and key Read the words accurately, and some interviewers will be impatient and say, "Which one are you talking about?" At this time, we will easily get confused. Correct pronunciation + calm description + nice voice is definitely a plus!

The most important thing is mentality! Mentality! Mentality! Say important things three times! The interview time is very short, and it is still relatively unrealistic for the other party to find out your foundation in a short period of time. Therefore, sometimes it is also a time to look at the eye. This is still the era of looking at the face.

I hope everyone can find a job that suits them and satisfies them!
If you need the PDF version, you can pick it up on GitHub!

• Or click here to download by yourself, and go directly to the link to receive

Advanced learning video

Attached: We collected 20 sets of real Android interview questions for first- and second-tier Internet companies  (including BAT, Xiaomi, Huawei, Meituan, Didi) and my own Android review notes (including Android basic knowledge points and Android extensions). Knowledge points, Android source code analysis, summary of design patterns, Gradle knowledge points, summary of common algorithm questions.)

Above: We collected 20 sets of real Android interview questions for first- and second-tier Internet companies ** (including BAT, Xiaomi, Huawei, Meituan, and Didi) because of the autumn recruitment, and my own Android review notes (including Android basic knowledge points, Android Extended knowledge points, Android source code analysis, design pattern summary, Gradle knowledge points, summary of common algorithm questions.)

[External link image is being transferred...(img-Rct1B7je-1614321789393)]