I'm trying to use firebase email authentication and enable biometrics.
The solution I am able to come to is:
enable biometrics and get the fingerprint token
encrypt the user's username+password with this token
store the encrypted username+password in app storage
when user authenticates using biometrics, app decrypts stored username+password and logs in firebase.
The issue is of-course the difficult choice of storing encrypted username+password locally.
Is there any better alternative like
saving an encrypted firebase token instead of username+password?
saving the token in a server?
How do professional apps do it with firebase?
Use Symmetric & Asymmetric keys concept with Android keystore
Follow the Salesforce Mobile SDKs strategy in using the Android Keystore
(more details here:https://developer.salesforce.com/docs/atlas.en-us.mobile_sdk.meta/mobile_sdk/auth_secure_key_storage_android.htm)
To summarize the steps :
The application upon installation and first run creates an asymmetric key pair and a symmetric key
The application stores the asymm. keys in the Android Key Store. Key Store access is granted only when the user unlocks phone (e.g. w/ pin code or biometrics. this step is optional. you can do it without this step)
The application encrypts the symmetric key with the public part of the asymm key pair and stores that in shared preferences
It is the symmetric key that is used to encrypt/decrypt the Firebase token or username + password whichever you want to use
To access the encrypted symmetric key, the app has to first obtain the private key from the Android Key Store, decrypt the symmetric key and then use it.
Related
I want to use one secure key to encrypt and decrypt data on device without saving it in SharedPreferences or DataStore. I want to generate that key using in app authorization (passcode and biometrics).
I know generating secure key with biometrics is possible using AndroidKeyStore. I know I can generate another key by using passcode. Is there any cryptographic way to use one of those keys to encrypt/decrypt local data?
I have tried generating keys with biometrics and passcode. But I could not find a way to encrypt and decrypt data with either of those keys. For example: user logs in and sets passcode and fingerprint. App should encrypt data so it could be decrypted using one of those authentication methods.
I am wondering how do other secure Android apps solve this problem. Can someone provide me an example where could I look into that?
When the user enters username and password into an mobile app( iOS ,Android or windows app)it calls a thirds party oAuth login web service which responds back with oAuth access token and refresh token. Now the app generates a JWT and signs with a Secret key stored in the app. This jwt is used for authentication on a set of In house APIs
In this context, is it safe to trust this AUTH model? Since in-general JwT are generated on the server side , so the integrity is maintained.
What are the pitfall of signing a jwt in mobile apps? Will the secret signing key stored in the apps ever gets compromised ?
Will the secret signing key stored in the apps ever get compromised?
Yes, the signing key can get compromised. This can be done by decompiling your app executable.
Instead of storing the token in a sqlite database or local file, you can make use of the secure storage that each of these platforms provide.
For iOS, you can simply use the Keychain, a secure storage intended for this purpose.
As for Android, a similar functionality is provided by the Keystore.
I am developing an android messaging app. When user signup rsa private and public key are generated and with these keys and aes messages are encrypted and decrypted.
Private key is stored in the phone and public key in the server. If the user resets or uninstall the app all keys are lost so there is no way to decrypt the old messages.
How can I retrieve old private keys without storing it in server when user uninstalls app?
Are you using Android Keystore to store the keys or using your own file storage?
Android keystore
With Android Keystore there is no way to recover keys because they can only be used by the application that created them and are discarded if there are substantial changes.
I guess you are using the RSA keys to negotiate an AES symmetric encryption key. Therefore you will need to backup the AES encryption key( for example in the server...), and stablish a mechanism to recover the key like the common "remember password" utilities
custom key storage
If you are storing the keys into the device without AndroidKeystore, you could define your own mechanism to restore the keys. For example, encrypt the key with a password and storing the key into a public directory of the device. Then the key can be recovered prompting user for the password
Note: Take into account the security risks in each case. For example a non-encrypted AES keys into server implies that a malicious server could decrypt messages. Or a weak recovery key mechanism will descrease the whole security level of the system
There are various ways to persist data in Android. Databases, SavedInstanceState, SharePreferences and files. Only files persist after you application is unInstalled by the user. Saving it in a file is about the only option you have.
I'm looking into ways to secure data on mobile via fingerprint verification.
The situtation on iOS seems fairly straight-forward by securing data in the Keychain via Touch.
But can something like this be done on Android where a piece of data is secured via a fingerprint? Or would we have to handle the association of data and fingerprint internally within the app?
UPDATE:
So having done a little bit more reading on this on Android I'm assuming the best way of doing this would be to encrypt the data within the app but secure the key being used with FingerprintManager and the Android Keystore?
Yes, you're heading into the right direction ;-)
Basically the Keystore is just for creating / storing key material and cannot be compared to something like the SharedPreferences. You could use the Keystore APIs to create a new cryptographic key which requires user authentication and with the generated key you could then en-/decrypt data. In order to access the key inside the Keystore the user needs to authenticate (e.g. through fingerprint authentication).
I have created a demo project for the new Keystore APIs (including fingerprint authentication) which you can find on GitHub: https://github.com/flschweiger/SafeApp
My requirement is to store username and password in my application.
I am storing username and password using android accountmanager and I am not able to get any straight answers to following queries:
Do i need to encrypt credentials before storing them in
accountmanager?
Does android account manager uses any encryption machenism by default?
How secure are credentials while stored in account manager against rooting?
Yes
No, you need to use Cipher class to encrypt
If you are root, you can access data easily and get the key for encrypt data. The best is to store the key in some native lib, more difficult to disassemble native lib.