I am deciding the mechanism to protect Android App and data. I did some research, but don't know if below solutions are enough or not. See if any expert can provide me some advice:
For SQLite database-level protection: Use SQLCipher
For SQLite data-level protection: Use AES256 to encrypt and decrypt (But don't know where to store the secret key is better?)
For Android data to Web Service(PHP): Use SSL and Post method
For Web Service(PHP) Json to Android: Use SSL and Post method
To prevent Android APK to re-engineering: Use Proguard
To make Web Service(PHP) can only access by the Android app: Hard-code a secret key inside the app, send it in HEAD with SSL everytime to the server. Or use android application licensing?
Thanks!!!
For SQLite database-level protection: Use SQLCipher
Correct.
For SQLite data-level protection: Use AES256 to encrypt and decrypt (But don't know where to store the secret key is better?)
You could but it might not be that necessary since SQLCipher already do the job on data protection in database-level. But if you do want to do double encryption, AES256 could do the job for you. Store the key somewhere that is hard to decode: ndk or in Java code. But don't forget to encrypt secret key as well. Decrypt it when you want to use.
For Web Service(PHP) Json to Android: Use SSL and Post method
Not enough. It is still be able to do repeated request attacked. Add two more mechanics, nonce (number used once) and request signing to your API. It will be far more safe.
For Android data to Web Service(PHP): Use SSL and Post method
SSL + Post + nonce + Request Signing + Certificate Pinning (to prevent man-in-the-middle attack).
To prevent Android APK to re-engineering: Use Proguard
Correct.
To make Web Service(PHP) can only access by the Android app: Hard-code a secret key inside the app, send it in HEAD with SSL everytime to the server. Or use android application licensing?
Just attach some variable, that indicated that the transaction was sent from your android app, to the request.
Related
I have been doing an Android project involving restful web services. What is the best way to keep API key safe. I have read a lot online. Many say it is safe to keep key in the server and use it and that it will be safe. I don't understand what that means. By my understanding saving key in the server means that the app needs to fetch it during operation by using volley or any other httpclient by providing an url. The attacker can decompile the apk file and see the url from which the key is obtained, get the key and do his nasty work. Am I getting things wrong? How can storing API key in the server be safe? Please help me understand.
you should write something like a SecureStorage using the Android Keystore and SharedPreferences and put the string inside it. We are currently developing such a library --> have a look at it here
I am learning how to build android apps. I'm building my first app using PHP and Java, i'm passing the values from Java to PHP using parameters.
localhost/myfile.php?id=GET ID FROM JAVA EDITBOX&name=GET NAME FROM JAVA EDITBOX
I'm inserting and updating using this method.
But i'm afraid about my app security, how can i hide my links? I would like to insert some security technics to prevent a common user from having the access to my links, and insert random data into my database.
I'm sorry about that noob question, but i would like to read more about that.
how can i hide my links
No way because APK file can be de-compiled
I would like to insert some security technics to prevent a common user
from having the access to my links, and insert random data into my
database.
You are allowing Un-authenticated users to insert the records??? If you are doing this, you are doing it wrong (I think)
You should allow Authenticated Users to Insert/Delete/Update records and
Un-authenticated users can Load data only.
Some Security Practices:
Authentication (Login) / Authorization (Permission)
Don't trust any data sent from client --> Data Validation at Server side is required
Use Asymmetric encryption - Public/Private key
Encrypt your data at client side using Public key
Decrypt the data at Server side using Private key
Apply Digital Signature OR MAC (Message Authentication Code) to make sure your data is Integrity & Authentication
Https used
I should develop an phonegap application. I need to encrypt my requests to the server side and then decrypt.
HTTPS is not a solution, because I need to sign requests to be sure that the data is not fake. I can use any async cryptography (the app will generate private/public keys and will send public key to the server). But this way I need to keep my private key on the device.
The question is: how I can keep private key on the device securely?
I can use sqlclipher (to encrypt my local SQLite DB) and integrate it into my phonegap app. Great, but here I have to keep secret key for database :)
var db = window.sqlitePlugin.openDatabase({name: "DB", key: "secret1"});
Any one who have access to the phone can get this secret key. So here I have the same issue:)
Please, give me any suggestions.
Thanks!
p.s. app for iOS and Android
You have to differentiate between encryption and authentication.
First, I suggest to use https to encrypt your messages and transfer them securely.
Second, I suggest to use HMAC for authentication of your messages. It basically works like this:
Generate a secret string known to your app and the server at compile time. You store this secret directly in the source code of your app so it is never transmitted to or from the server. This might be the main difference to your private/public key approach: You compile the secret right into your app instead of writing it later in some user accessible storage. "Right into your app" means in the case of Phonegap NOT in your HTML/JS files but in the native source code! You have to bridge the accessor to javascript if necessary.
Set a user id (=key; long, random!) in your app when the user starts your app for the first time. If you want to authenticate your users, you probably have some kind of login/password mechanism. (Store the user id as well as an HMAC generated from the user id and the shared secret on the device. Every time you read the user id, check it against the hash to be sure that the user id was not spoofed.)
In your App
Include a user id in every message.
Include a timestamp in every message.
Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret.
Include the hash value in your request header.
On the server side
Check if the timestamp is valid, e. g. not older than 2 minutes or so. This prevents replay attacks (at least after 2 minutes).
Check in your database if the user id is valid.
Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret. Including the request URI prevents people to send the same valid request to another URI on your server; e. g. in REST environments it is a big difference if you send the same DELETE request to /comment/1 or /user/1.
Compare it to the hash value submitted in your header, they have to be equal.
If any check fails, send an error. Otherwise send the response.
There is a chance of getting the shared secret and information about the way how you calculate the HMAC hash by decompiling your source code. I see no way to avoid this risk. ...without diving deeper into native development:
iOS Keychain
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html
Android security features
http://developer.android.com/training/articles/security-tips.html
By default, PhoneGap does not provide the feature of encryption on its own. Devices based on iOs and Android(above Gingerbread version) support full-disk encryption. But this is not available to PhoneGap/Cordova developers.
From the wiki:
PhoneGap is generally limited to the security features of the platform
on which it is running.
Refer to https://github.com/phonegap/phonegap/wiki/Platform-Security
For some JS based solution, give a try at http://code.google.com/p/crypto-js/
I am creating an app that requires the user to register with a remote server, but I want to hash their password before sending it off to be stored in my database.
I tried using the jBCrypt library, but it created a long hang time while hashing. Are there any other alternatives? What would be the best (and safest) way to hash the passwords without creating a noticeable hang?
Your approach seems to be wrong. Unless you have some special requirements, the usual way to do this is the following (not Android-specific, for any web application):
When the users register, take their password, hash it (using a random salt is also recommended), and save it in the DB. That is done so you don't save the actual password in your DB.
When the user needs to login, you send the actual password to your webapp (use SSL to avoid sending it in the clear), not the hash. On the server, you apply the same hashing algorithm as in step 1, and compare the result to what is in your DB. If they are the same, the user has provided the correct password.
In short, you should do your hashing on the server, not on the Android device.
Avoid saving 3rd party passwords at all cost. Saving them is considered a form of phishing. Try to save an authentication token instead of a raw password that you can get using a method like OAuth.
If you do need to send a password to a database on a webserver, just use HTTPS. This will ensure safe encryption over the wire. Then you can encrypt the password as necessary in the database. This method also ensures that your encryption mechanism is not on the device itself which can be more easily compromised.
My application would be frequently connecting to the web service to get some data in json.
Is there a way this data can be encrypted on server side and decrypted on application side so that data transferred is secure and safe?
Also, if the applicaiton comes with its own database (sqlite db file), is it possible for anyone using this application to look at this database (tables, fields and content)?
Regards,
Sapan
Your easiest option for transferring the data encrypted is to use SSL (i.e. https) for the communication between the app and the web service.
If you need to set up your own self-signed certificate for the server (instead of buying one) you might have problems getting android to talk with it, but it's doable. See this SO question for tips.
Regarding reading the database, it might be possible. I would assume that an attacker that got access to the phone could read the database, if they were determined enough. If you want the data to be really secure, you would have to store the database in an encrypted file and require the user to enter a password each time they open your app.
You have to decide how much security you really need.
You should definitely go for SSL encryption of the data when you transfer it over the network, though.
You can use crypto to encrypt/decrypt json in both android and server.In it very simple and secure. Using Base64 is not a efficient way, because anyone can decrypt. In this, you can use a secret key to encrypt and decrypt the String. If using wrong key to decrypt, the output will be wrong.
http://www.androidsnippets.com/encryptdecrypt-strings
I use Base64 encoding and decoding to encryt data over the network.
Depending on the type of webservice you are using, it will or will not have Base64 encoding and decoding. You can always google for code made by others.
Depending on the Android version you are targeting.
From API level 8 and up: http://developer.android.com/reference/android/util/Base64.html
For lower: http://www.frankdu.com/notes/2011/01/27/base64-encoding-with-android-2-1-or-earlier/
You could also write your own encoding and decoding systems of course. ;)