Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store secure string in Android?

Tags:

android

security

passwords

keystore

Is there any understandable examples of using KeyStore in Android?

I can't really understand how do I have to protect my password/token/anything_else in Android application in ROOTED device from being used by hackers who have physical access to the device.

I understand i can generate KeyPair with some ALIAS, and use it's private key as database password for example, but I'am interested in: can any hacker read this ALIAS from my decompiled apk(because i can't obfuscate alias string) and build another app which uses same ALIAS to get privateKey from android KeyStore?

Any solutions?

like image 574
Andrew Vasilyev Avatar asked Apr 27 '16 11:04

Andrew Vasilyev

People also ask

Where do Android stores secure keys?

A public/private key RSA pair is generated, which is stored in the Android device's keystore and protected usually by the device PIN. An AES-based symmetric key is also generated, which is used to encrypt and decrypt the secrets.

How can I protect my Android source code?

I got the point that to secure your application use all string value, network call URLs in string. xml file. Your class files convert into java file. And resources got encrypted in other file.

What is the best way to store sensitive data for an Android application?

Use external storage Because external storage can be removed by the user and also modified by any application, don't store sensitive information using external storage. To read and write files on external storage in a more secure way, consider using the Security library, which provides the EncryptedFile class.

1 Answers

I can't really understand how do I have to protect my password/token/anything_else in Android application in ROOTED device from being used by hackers who have physical access to the device.

You can't. Client Authenticity is Not the Server's Problem.

Let's say you store an encrypted value in your app rather than storing the value directly. Where's the key to decrypt this value? The app will necessarily need to decrypt this value. Now all a hacker needs to do is download your .apk, plug it into Lobotomy, and they will quickly figure out what's going on.

You're better off simply never placing sensitive information on the device itself, if you want to hide it from the people who run your software.

like image 109
Scott Arciszewski Avatar answered Sep 29 '22 02:09

Scott Arciszewski
Sign in to Comment

Related questions

Doze Mode/App Standby During Audio Playback
Instant Run doesn't work with proguard
Retrofit 2 download image and save to folder
Delay starting activity from receiver on screen off
IOAcknowledge method is NOT working for SocketIO in Android?
Unable to change timezone on Android device using adb shell setprop
Android get Device Country Code
Android XML drawables scaling
Why doesn't deprecation warning disappear when verifying Build.VERSION.SDK_INT before using deprecated item?
Dagger 2 is not generating my component class
Error undefined reference to std::__ndk1 after update ndk revision 11
Android | Get OkHTTP Library version at runtime
How to specify a launch image for Android app
Can I make Android Studio show errors immediately, like Eclipse used to do?
How to push up an existing view when snackbar is displayed?
How would I go about creating a custom container view in Android?
Is there a way to pre-package Realm database (default.Realm) through React-Native (JS)
emulator: WARNING: Classic qemu does not support SMP. The hw.cpu.ncore option from your config file is ignored
Android, how to set meta data to MP4 file?
convert Observable<RealmResults<T>>> into Observable<List<T>>>

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!