Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Anti-hack solution for a secret key in Android app?

Tags:

java

android

reverse-engineering

secret-key

I need to store a private string key inside of the app. Its value will never change and is set manually in code. I cannot obviously just store it as a String as reverse-engineering method would reveal it, even with obfuscation applied.

How do you suggest I protect this private key?

I though of saving it into a database, but a database can be pulled out of the phone as well.

PS. this key is a special parameter so an important method and it's crucial it stays unknown to anyone! It's not a decrypting key. This string will be used as a parameter to encryption method (md5 or similar) and then a result will be sent to our Internet service.

EDIT

Sorry, for making it so complicated. I thought I could get an answer with as few info as possible.

This app will allow users to send some text to an Internet service which then posts that text to a web site. We need to make sure that the text is sent via Android phone as any web robot script can mimic android phone and post a spam. As captcha-like methods are not welcome on mobile phones, there will be a secret key which will be put through md5 (with some other things) to generate a hash code. This hash will be sent to an Internet service. The Internet service will use the same key to get a md5 result and then compare it to see if the sender is a mobile phone or some robot.

This is really the max I am allowed to say. I hope it is enough.

like image 718
sandalone Avatar asked Apr 18 '12 06:04

sandalone

People also ask

How do you break apps on Android?

Online decompiler 🔗 The quickest and easiest way to decompile an APK is to just use an online service. You just upload the APK and get an archive with all the resources and decompiled files.

What is geeky tools app?

This anti hacking protection app helps you detect all types of spywares & malwares. You can detect hidden apps, analyze privacy and find malicious apps using this bug detector scanner.

1 Answers

I'd suggest that you rethink your security architecture. Anything shipped with the app is discoverable. (For instance, Android's license validation library is designed so that a public key is shipped with the app.)

One possibility is for the app to retrieve the key from a server (over a secure socket or https connection). This would obviously require that the app submit to the server some sort of identification/validation (probably based on user input).

If you're using the key for encryption, then take another look at how public key encryption is supposed to work. Your app should have the public key; the internet service can then decrypt with the matching private key.

like image 124
Ted Hopp Avatar answered Sep 21 '22 06:09

Ted Hopp
Sign in to Comment

Related questions

morphia and howto update existing document field
java - How to create an instance of generic type T
An interesting Google interview algorithm I found online that requires linear time [closed]
Fastest way to generate all binary strings of size n into a boolean array?
MyBatis - defining a global parameter
Which payment system has good integration with Java?
Java JTable detect Column re-sized by user
Putting into a Map<String, ?>
How Eclipse terminate a running program?
Enforcing java annotations at compile time
Quartz scheduler max thread count property
Can C++ call Java code?
Java7 sqljdbc4 - SQL error 08S01 on getConnection()
Is the '.' for member access considered an operator in Java?
XML Schema: replacing imports with corresponding schema
Specifying the field naming policy for Jackson
Spring @Autowired @Lazy
How I can extract the RandomForest from R for use in production?
How can I find Saturdays and Sundays in A given month?
Can't run Java example for Selenium / WebDriver

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!