This article describes some techniques to access a SSL secured MQTT Broker from an Android ™ device using the Eclipse Paho MQTT Client code.


Accessing a Secure MQTT Broker with Android

When building Internet of Things (IoT) applications, Android devices can be excellent providers of data. The Message Queue Telemetry Transport (MQTT) protocol offers an efficient and effective way to transfer this data to another node in your application, such as a cloud server. If sensitive or private data is being collected, the transfer can be protected using SSL to encrypt the data.

This can sometimes be difficult even if the certificate was generated by a trusted source. This article demonstrates how to enable an Android application to access an MQTT Broker that has been secured with any certificate (including self-signed).

The Eclipse Paho MQTT client implementation is used in this example.

For information about creating the original SSL certificate or how to configure the MQTT Broker, see our previous article (Securing MQTT on Apache ActiveMQ →).


Generating BouncyCastle format certificates

Android uses an implementation of a cryptography API library created and supported by an organisation called BouncyCastle. (For more information please see →)  Trust-store files must be created in a BouncyCastle compatible format (BKS) before they can be used by the library.
The JAR file containing the BouncyCastleProvider class required for this can be downloaded from bcprov-ext-jdk15on-1.46.jar → . It is only needed for the keytool, not by the Android client code, as android.jar has an early version of the BouncyCastle code included.

Use the JDK keytool (Oracle keytool documentation →) utility to import the certificate that was used to secure the MQTT broker and generate a trust-store file in the appropriate format (see Figure 1). In our example, the certificate for our MQTT broker is in a file called ‘cacert.pem’ and we are going to use it to create a BKS format trust-store file called raw_key_file.  You must provide a fully qualified path for the bcprov-ext-jdk15on-1.46.jar file using the -providerpath keytool option.  The key store password in this example is ‘mykeystorepassword’ which will be needed later in the runtime code.

Figure 1: keytool command line options

Next, create a folder called ‘raw’ in the ‘res’ folder of your Android project if it does not already exist, and paste the generated raw_key_file in it as shown in Figure 2.

Figure 2: Android raw_key_file resource

We use a utility class to generate an SSLSocketFactory instance specifying the BKS format certificate to trust. The certificate is loaded from a raw resource by ID (See Figure 3).

This will be used as one of the parameters in the set of MQTT client connect options.

Figure 3:

Eclipse Paho MQTT Client

The Paho project from the Eclipse organization provides a nice implementation of an MQTT client library that can be used to access an MQTT broker. More information about it can be obtained at the Paho website → The JAR file for the J2SE Java Client can be downloaded from org.eclipse.paho.client.mqttv3.jar →. After downloading the JAR file, ensure that the Android project Build Path has been configured to include the JAR as a library, as shown in Figure #4. In addition, you must make sure that it is exported as shown in Figure #5.


Figure 4: Java Build Path Libraries


Figure 5: Java Build Path Order and Export

The AccessMqtt class (Figure 6) in this example demonstrates how to create an MqttClient instance, set the logon credentials, and indicate the certificate to trust when establishing the connection. In this case, the MQTT broker is configured to require a user’s logon name and password for any publish or subscribe access.

Figure 6:

The following fragment (Figure 7) shows the SslUtility singleton being initialized, and the AccessMqtt class being called to establish a connection to the MQTT broker and post a single message to a topic.

Figure 7: Java test code fragment

Now we can transfer private data in an encrypted format between an Android app and a server.


The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons Attribution 3.0 license →. Android is a trademark of Google Inc.

Leave a Reply

You must be logged in to post a comment.