Yes this is a pretty general question but I'm trying to get a feel for the best way to handle an app that touches base w/ a webserver that distributes sensitive data to the app. Any links, general information advice etc.. would be appreciated.
Since the app would store persistant data retreived from the database for a certain amount of time.. everything becomes somewhat touchy.
Use external storage Because external storage can be removed by the user and also modified by any application, don't store sensitive information using external storage. To read and write files on external storage in a more secure way, consider using the Security library, which provides the EncryptedFile class.
Protect Your App's Transport Layer So, step one in your effort to secure an Android app is simple: protect its data transfer layer by employing strong encryption. You can do this by making use of protocols like SSL and TLS, which are simple to add to your code and are very difficult to compromise.
In general sensitive data stored locally on the device should always be at least encrypted, and any keys used for encryption methods should be securely stored within the Android Keystore. These files should also be stored within the application sandbox.
That depends very much on your audience. Normally, the Android OS prohibits apps from accessing each other's files (i.e. databases, preference files, regular files stored in the app's private directory) through proven Linux file permissions. However, on rooted devices an application can obtain root access and read everything. A few things to think about:
To conclude, if your information is not super-duper sensitive (e.g. credit card information), I'd suggest just sticking with the default security provided by Android (i.e. save everything in plain text, knowing other apps can't access it).
Otherwise, encryption is the way to go. It's not 100% secure (a hacker could de-compile your app and figure out how to decrypt the data), but it's a major pain to crack and will stop most hackers. Especially if you obfuscate your code with something like ProGuard.
You have a few options here. First of all, always use HTTPS. After enabling HTTPS, here are two extra security measures I would propose:
time=1321802432&key=[generated-key]
generated-key
is generated from the time
parameter. For example: md5(time + salt)
. When the server receives this request, it can do two things: key
is indeed equal to md5(time + salt)
(note that only the client and the server know the salt and it can be obfuscated similarly to the API key above), andtime
is not too far back in the past (e.g. if it's more than 1-2 minutes in the past, consider the request invalid).The second method is more useful if you are also doing plain HTTP requests, where everyone can see the parameters being sent. Also, it's much harder to figure out from decompiled code. Especially if you spread the key calculation logic across multiple classes.
However, note that nothing makes it impossible to crack your app. You can obfuscate as much as you want, if a hacker is really determined to get to your data, he will be able to so by decompiling your application and spending many sleepless nights passing through your code and figuring out how the requests are formed. The only real way of securing your data is by asking your user for a password, besides doing all the work I wrote about above. You can't get a password that only exists in someone's (the user) head from decompiled code :).
(Came here thanks to a Google search)
I've been researching this a lot lately and this page has come up a lot thanks to Google and Bing searches. The widely-accepted procedure for storing data on the device securely has been to use a strong encryption algorithm like AES. The harder question is "AES requires a secure key. What do you do with the key?"
Google recently announced a cloud-based storage solution for apps, so you could consider storing the key there if the situation allows. Otherwise, its seems that getting the key outside the device, like on a server, is better. If you can make the user punch in a PIN, that would actually work the best. You can do password derivation in order to store the password, and you can redo the derivation to verify the password
Without the "user punching in a PIN" part, I haven't found a lot of good answers to that question. However, DO NOT HARD-CODE THE KEY IF YOU MUST STORE ONE WITH THE APP. At the minimum, generate a key using a secure password generator and/or a derivation function like PBKDF2 (Password-based derivation function 2).
If I read the posts correctly, Google did say that one approach is to generate a key once the app starts the first time, store the key via the MODE_PRIVATE flag to a lot of file I/O operations, and use that as the key. You can also derive other keys based on that master key, and the NIST actually suggests something along that lines.
Whether or not to trust the master-key method, I'll leave to you. This key would get exposed on a rooted device. I'll also admit that I'm still researching the issue
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With