Good afternoon,
I need a little bit of help. I'm using QT6.4 to write an Android app that handles private keys.
I have no prior experience with QT or Android app development. This app stores an Ecdsa private key used to make signatures, the key is generated remotely. Currently I just store it in a text file but it doesn't seem like good security. I heard of Android keystore but I don't know if it's possible to use.
Any suggestions or examples?
Storing private key in plain text file seems insecure. Other apps could read it.
In Qt, there is no API to access the Android Keystore... So the best solution would be to access it in Java/Kotlin.
To add a custom Java class to an Qt Android application, and how to call it using the JNI convenience APIs in Qt, you can check the notifier example :
https://doc.qt.io/qt-6/qtcore-platform-androidnotifier-example.html
The most secure usage would be to generate the private key inside the Android Keystore, which doesn't allow to access it. To generate private keys in Keystore this is a good site to read:
https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec
If the key needs to generate remotely and you download it, then you have 2 possibilities:
Import the key into AndroidKeystore - start by reading: https://developer.android.com/reference/kotlin/android/security/keystore/KeyProtection
Generate a new private key and encrypt the key. Then store it in a file or any persistent place.
I was wondering what should be an ideal way for placing API keys, salts, or even private keys for encryption and ship them along with the APK. While doing research on this I saw a couple of methods widely used for placing some of these details:-
Place this info in gradle.properties - This is the simplest solution for placing these details but it is not secure at all. The information stored here can easily be extracted from the APK.
Store it in cpp - Create CPP files in the codebase where these details are placed and write JNIs to extract out these details when needed. This makes it harder for the attacker to extract out these details but it still is extractable
I read a couple of posts of which recommended using Keystore for securely storing this information but while seeing implementation at a couple of places I inferred that it usually stores values in runtime and I didn’t find any details on how to ship some salts or API keys along with the APK.
I wanted to know if there is any way for securely placing salts, API keys, etc along with the shipped APK. Or we can somehow use Keystore for this. Any help or suggestion will be really appreciated. Thank You!
Using this library You can easily secaure your api
https://github.com/MEiDIK/Cipher.so
Read Carefully there installation Process and still have any doubts or error i will help you
I generate a small metadata file (2KB) from my app which needs to be unreadable if the user browse through file system. These files will not be transferred elsewhere through my app.
After prolong research I figured I have to use Symmetry encryption. But I am lost what type of algorithm and how to use key/salt. Efficiency of the algorithm is important because the file is updated on onPause method.
Should I declare it in code and use that for all users or should I generate new one for each user. If I go with second option, where do I store the key/salt for later use. Should I obfuscate the code?
Please advice.
Currently I have short listed these two. Are they secure enough for my requirement? How can I improve them?
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
String Encryption in Android
I am developing an application that has SQLite database to store personal information that must be protected. What are some ways of protecting these personal data? An APK can easily be de-compiled completely, so how can we secure an APK? Additionally, how can a database of a mobile application be protected?
Basically, there are 5 methods to protect your APK being cracking/ reversing/ repackaging:
1. Isolate Java Program
The easiest way is to make users unable to access to the Java Class program. This is the most fundamental way, and it has a variety of specific ways to achieve this. For example, developers can place the key Java Class on the server, clients acquire services by access relevant interfaces of the server rather than access to the Class file directly. So there is no way for hackers to decompile Class files. Currently, there are more and more standards and protocols services provided through interfaces, such as HTTP, Web Service, RPC, etc. But there are lots of applications are not suitable for this protection. For example, Java programs in stand-alone programs are unable to isolate.
2. Encrypt Class Files
To prevent Class files from being decompiled directly, many developers will encrypt some key Class files, such as registration number, serial number management and other related classes. Before using these encrypted classes, the program needs to decrypt these classes first, then loading these classes into JVM. These classes can be decrypted by hardware, or software.
Developers often loading cryptographic classes through a customed ClassLoader class (Applet does not support customed ClassLoader because of security). Customed ClassLoader will find cryptographic classes first, then decrypt them. And finally loading the decrypted classes to JVM. Customed ClassLoader is a very important class in this protect method. Because it itself is not encrypted, it may be the first target of a hacker. If the relevant decryption key and algorithm have been overcome, then the encrypted classes can easily be decrypted.
3. Convert to Native Codes
Convert program to native codes is also an effective way to prevent decompilation. Because native codes are often difficult to be decompiled. Developers can convert the entire application to native codes, or they can also convert only key modules. If just convert key part of the modules, it will need JNI technology to call when Java programs are using these modules. It abandoned Java's cross-platform feature when using this mothod to protect Java programs. For different platforms, we need to maintain different versions of the native codes, which will increase software support and maintenance workload. But for some key modules, sometimes this solution is often necessary. In order to guarantee these native codes will not be modified or replaced, developers often need to digitally sign these codes. Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.
4. Code Obfuscation
Code obfuscation is to re-organize and process Class file, making the treated codes accomplish the same function (semantics) with the untreated codes. But the obfuscated codes are difficult to be decompiled, i.e., the decompiled codes are very difficult to understand, therefore decompile staffs are hard to understand the really semantics. Theoretically, if hackers have enough time, obfuscated codes may still be cracked. Even some people are developing de-obfuscate tool. But from the actual situation, since the diversified development of obfuscation, the mature of obfuscation theory, obfuscated Java codes can well prevent decompilation.
5. Online Encryption
APK Protect was an online encryption website for APK, but activity has apparently been discontinued since 2013 or so. It provided Java codes and C++ codes protection to achieve anti-debugging and decompile effects.
I originally suggested you use this last method for it could save you more time. Based on my experience, it was very simple to operate and it wouldn't take long time.
With Jellybean this has now become a possibility.
$ openssl enc -aes-128-cbc -K 000102030405060708090A0B0C0D0E0F
-iv 000102030405060708090A0B0C0D0E0F -in my-app.apk -out my-app-enc.apk
$ adb install --algo 'AES/CBC/PKCS5Padding' --key 000102030405060708090A0B0C0D0E0F
--iv 000102030405060708090A0B0C0D0E0F my-app-enc.apk
pkg: /data/local/tmp/my-app-enc.apk
Success
Please read the following blog post for further details
If this is secret information that must not fall into the hands of your users, you cannot secure it. It is fundamentally impossible to put information on a device (code or data), and have your application access it, but not allow someone with the device to have access to that information.
Encrypting the information is pointless from a security point of view, because your application has to contain whatever is needed to decrypt it in order to use it, and a sufficiently motivated attacker can always extract that and decrypt it on their own.
All you can do is make it more annoying and time consuming to get access to that information, which only helps if there's not really that much of a need to keep it secret. This is what using proguard to obfuscate your .apk file can do.
Have you considered sqlite encryption? See this thread - sqlite encryption for android
As for protecting your .apk, try obfuscating your code using proguard. See http://developer.android.com/guide/developing/tools/proguard.html
You can try 'Anti Decompiler(Android)Trial'
https://play.google.com/store/apps/details?id=com.tth.AntilDecompilerTrial
It makes something Proguard doesn't:
Hide all const values (string, character), you will never see clear text like "my key", "my val"... in your apk file
Obfuscate file name, which is referenced in AndroidManifest.xml
Add fake code to your source code. Event the powerful decompilers likes: dex2jar, jd-gui,... can't reverse exactly your apk file. Most of functions will show with comment 'Error'.
=====
After transforming, if you give someone your source project, it will be nearly impossible to read and understand.
This solution doesn't exclude Proguard, You can combine them together. (function, field Obfuscation of Proguard is better than Obfuscation features of this solution)
You may read my post at: http://www.androidpit.com/en/android/forum/thread/567093/An-Analysis-of-Android-APK-Protect-Shell-APKProtect. The APK added with protect shell of APK Protect is seems unable decompile. I mean, the encrypt method is very advanced. Even a master hacker need long time to crack it.
If it is the database that contains sensitive data you can encrypt the values of several columns or the full database like mentioned in the other answer and make sure that the password is not stored on the device but has to be entered by the user on accessing the data.
If there are pieces of code you need to protect there's really no good way of securing it. All you can for a limited amount of use-cases is to create a dependency to an online service and secure the server. But for a lot of applications this would not be an option.
First, make apk that can never be modified and used. I do it by temper detection from the server. I use root check emulator check. Then on the important activity, it checks root and emulator on every oncreate and on resume, deletes important data on onpause, Great. Now encrypt data and place license to server, use SSL server. It app can not be modified and run, everything is safe for ever. Well, how to avoid decompiler and online tamper detection. I do placing a huge code to generate some sample string from apk file, and compare it with an apk copy placed on the server. I have converted apk file to string. Just enjoy.
I want to know how to encrypt the external storage data (.asec).
Which algorithm is used, AES or another method?
And then what is the encryption key?
If a method to generate encryption key is open source, I think that it is going to cause a problem.
I would be grateful for any information about this.
The Android Open Source Project provides a document describing their crypto implementation.
Basically, they use AES in the Linux DM-CRYPT layer. See the document for full details, including how it interacts with vold.