Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Hiding encryption key in Android Application

I want to hide some data that is entered by user in user's phone encrypted. As far as I know I can encrypt/decrypt data using a key/seed value, but if I hide the key value in code, I know it can be found somehow (e.g. decompiling the Java code).

Do you have any suggestions to make the process harder?

like image 513
paul simmons Avatar asked Oct 18 '11 19:10

paul simmons


People also ask

Where does API store secret key?

The best place to store an API key is in a secrets manager.


2 Answers

It is impossible to hide the key in the app such that a resourceful hacker won't be able to pull it out. You can try to obfuscate the key and make it difficult to find but it will always be do able.

See this: https://www.excelsior-usa.com/articles/java-obfuscators.html#examples

The best option would be to require your users to specify a PIN or password and to use that as the encryption key. That way if the device is lost or stolen the key is still safe and it also prevents someone from decompiling your app and getting the encryption key for all instances of your application.

like image 61
slayton Avatar answered Sep 21 '22 08:09

slayton


One of the new features in Ice Cream Sandwich (Android 4.0) is the keychain API. From the Platform Highlights page (emphasis mine):

Android 4.0 makes it easier for applications to manage authentication and secure sessions. A new keychain API and underlying encrypted storage let applications store and retrieve private keys and their corresponding certificate chains. Any application can use the keychain API to install and store user certificates and CAs securely.

like image 35
Alexander Lucas Avatar answered Sep 22 '22 08:09

Alexander Lucas