as you know, we can access to any folder on android device after rooting. My app has a database and some other binary files. I know that I can't prevent user see my files and database. But is there any way to prevent user copy it to other android devices for illegal use?
One option is to encrypt the data stored in database. Normally it is stored in plaintext. SQLCipher, I believe works for Android too..
From Android/google official forums,
Users with rooted phones can get access to any files they want.
Otherwise, databases in the conventional on-board flash location are
secure.
If you want to prevent that (routed access) only option is to encrypt it. However long it takes.
EDIT:
What I am saying is, it is never completely secure. You can make it as much difficult for hackers. You can save the decryption key (only) in the server (if downloading entire data from server is time consuming) but then app needs net connection to work. You can save the key in a hidden file (filename starting with .), but rooted users with knowledge about linux type file system can find them. Or you can do as Teovald suggests it in the comment to this answer, by generating the key in run time using any hash algorithm from any constants (like IMEI number), but it also need some processing. The more you try to secure it, the more works you need to do to use it. So it is a 50-50 kind of situation, and decision should depends on one's requirement.
Apart from encryption (see Krishnabhadra's answer) the only way to ensure critical data is to not have everything on the device. So you could access the most critical data always online only.
Of course this has the downside that not all of your app is usable if the user has no connection. You have to balance between your need to keep data safe from prying and allowing instant offline access to data.
If you can alleviate the former problem depends on the data. If all is critical, nothing is allowed on the device. Users will understand and begrudgingly accept this. No one would want a copy of his bank account on his device. But you should allow access to everything that is not critical even in offline mode.
Related
I'm building a simple Android application for my self. It is a simple password manager where I can store all my accounts. I just want to know if is it possible to hack or extract the data of Android app even if it's offline?
Thank you
Are the password hashes stored server or client-side? If the passwords are stored client-side, then yes, it is indeed possible. If the passwords are stored in plaintext, all the better for the attacker who has local access to the device.
My hope would be that you used symmetric-key encryption on the passwords which can only be decrypted with your master password utilized as the key and that you minimize plaintext exposure even within memory.
No one can transfer data to a remote server when the device is offline, but there are other possible ways considering your problem like,
Create a program to collect data from your database and send it through SMS (Considering passwords are textual data and small in size)
Create a program to collect data and stay in low profile and send them to a server when the device became online
Technically possible, But don't worry, chances for someone doing something like this is very low,
Go with your idea and encrypt data if you can to avoid easy stealing.
Happy coding :)
I would always assume yes with these kind of things. I would recommend looking into encryption of the data, a simple splash screen for an app password would work. I would make sure that the private encryption key something that can only be generated by that password entered at the lock/splash screen. Other than that, on stock roms you should be alright but obviously dont leave fishy apps on your device. If I was building this I might even look into 2 factor auth via nfc as well.
Yes, It may be possible!
Internet is not only thing which connect port or sharing of port,
There are many options like bluetooth or Hostpot...
Through which we can connect two device jz we have to write program which access these tools and gives command to victims phone....
For online
We have msfvenom payload to hack any android...
Its quite easy process in this process we forword victims phone port to attacker os....
Its so easy
For offline services we can hack device using BT remote control or same as with wifi...
I haven't been able to find exactly what I've been looking for by searching the web. Basically, I am making an app with digital currency that I don't want users to be able to hack and add coins to their account. I was thinking of 2 methods to do this, I want to know your opinions on them and how you would approach them to be as secure as possible. I'm not too sure about them but here they are:
Store the data on the user's device with an encryption. The issue with this is that if the user has root access, they could potentially decrypt it.
Give each phone a UUID and store their "coin" information in a database. Every time they open the app, they are automatically logged in using the UUID. This prevents the need to create passwords and usernames. The issue with this is that someone could decrypt the UUID off someone else's device and use it on their own to steal it. Also this would make the experience potentially slower and would cost more for me to do.
So what is the best solution? Do you know of any other ways? Thanks in advance.
Extra info: I plan on using LibGDX since it is cross platform and may be a good place to start but it may also limit what I can do. I am willing to use native android and eventually do the same on iOS if it allows for a much more secure experience.
You cannot store data locally 100% secure. As soon as your app itself can read/write the local coin count the "attacker" can as well.
The only secure option is to save it on a server. Of course every increase / decrease of the coin count has to happen on the server itself and be checked for validity before saved.
Note: You cannot "decrypt the UUID off someone else's device" as long as the server is secure.
UUIDs (Universally Unique Identifiers) are unique across space and time. They just are, there is nothing to decrypt.
The problem of digital currencies has been solved: Bitcoin, Litecoin and the spin offs. It is not an easy of trivial thing to create. If you are dealing with "coins" that have any real value you really need to get your scheme and security vetted by a digital security domain expert, expect to pay several thousand dollars.
Root access does not protect the encrypted data, the data can only be decrypted with the correct key, generally 128 to 256 bits of random data. The protection problem moves to protecting the key. About the best you can do is create a random key to use and save it in the keychain (iOS, Android keychain has more restrictive usage). But if the device does not have a good passcode (or any or good) there is little to no security. In general protecting data from the valid user is difficult and usually falls under DRM, needs servers and authentication.
LibGDX: the more obscure coding system you use the less help is available, think carefully about that. Also if you have competition the UI is very important. While it is generally said that you only have one chance to impress the user you have multiple opportunities to make them unhappy/angry ex-users. Cross platform systems tend to have poorer UI and more non-standard from the native UI on each platform.
I've been using Nikolay Elenkov's blog (http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html) to store encrypted password information in our android application. The requirements are such that we a) don't want to store the key/salt in our code directly, because this can be decompiled/removed, b) need to support back to android API level 14, and c) need to store password (encrypted) information on the device (i.e. can't currently use an OpenAuth token or similar system, as it would require server changes that can't be made right now).
So, on JB 4.2+ devices, I can utilize the newer secure credential storage, which doesn't cause any problems. For JB 4.1 and ICS devices, though, I need to use the aforementioned method of interacting with the keystore daemon through nelenkov's techniques.
The problem here is that when the secure credential storage is initialized, it requires that the user set up a device password/pin, as it uses this to base the encryption key used for the master storage off of. This is kind of a bad deal, because it is a big hindrance for the user.
Alternatively, I've looked at using a separate key store, based off of SpongyCastle. The problem with this direction, though, is that I would need to initialize it with some password (likely stored in my source code). This would mean that, if the device were stolen/rooted, it would be relatively easy to procure the contents of the "secure" key store, as the password could be retrieved from the app's decompiled source.
Is there a better solution to this problem that I'm not seeing, or is it just not possible with API versions < 18?
There are really only two ways to do this: either the user enters some kind of password and you derive your keys from it, or you generate a key and store it on the device. Using the device unlock password is a lot more user-friendly than having the user remember a dedicated password for your app only. BTW, on 4.2+ you still need a lockscreen password so nothing is changed compared to 4.0. As usual, if the device is rooted, the attacker can get the user's Google authentication tokens, and bruteforce the lockscreen password so you'd have much bigger problems. So think about your threat model first and decide how far you are willing to go. If the data is truly sensitive, use a dedicated password with sufficient complexity that needs to be entered every time the app is opened. You can also write a device administrator and require that the device is encrypted, that the lockscreen PIN/password is sufficiently long/complex, etc.
The alternative is to use tokens, either your own or from a third party identity provider (Google, FB, etc.).
I want to make an app like McAfee Secure Container. The container app should launch other (specific) apps and provide them isolated execution environment. There should be no data sharing outside the container and all the apps inside container should use container's network connection.
What can be a way forward?
I know one solution that runs each app within it's own dalvik VM with a unique ID (uid ref linux) to protect all resources for that app. It makes use of the linux file permissions to protect these resources. The only way to get apps running with the same UID is to sign it with the same publisher key and declare this ID in the manifest. To get resources world readable you have to declare this explicitly when opening the resources within the app. Further more the apps can only access certain system resources if they declare that permission in the manifest. Think of IO operations and so on. These permissions will than be prompted to the user and install time.
... It's called Android :-)
Or in other words what more do you search for than what is already provided by the Android system? If you're looking for security I would say the Android system is pretty secure on its own. Some threats I can think of are listed next.
A possible threat is that the system itself (not the app) is compromised (rooted or so). Then all your app data will be exposed on that system. The solution for that is encrypting your data. Google for Android Derived Key for more information on how to get a key from a user password and use that key to encrypt sensitive data stored on a device. The main rule here is to only store sensitive data if you really have to and encrypt it if you do. Also make sure to use CBC mode instead of ECB mode and provide a salt and an IV.
Never ever think that your code is save. Not even if it is obfuscated. Obfuscation does not make it impossible to get the code in a readable format. It just makes it harder. So it's always a bad idea to keep sensitive data in your code.
Another possible threat I can think of is network traffic. Use SSL/TLS and verify hostnames. Limit credentials going over the network by using generated tokens for authentication. Encrypt data over the network, this time use a dynamic IV. Also validate input and be aware of SQL injection.
Short answer : you can achieve this with Dynamic Library loading.
Long answer please refer to this:
https://www.youtube.com/watch?v=siVS2jmPABM
I am creating an app where the user does some things during a game, and these actions are logged in a SQLite-database. At the end of the game the app presents these logs through a screen, which are read by the game administrators (like, physically read by the game administrators watching the screen). Is there some ways for the contestants to manipulate the database, and if not, what security measures prevent them from doing this?
The database is stored under /data/data/your.applications.package/databases. Normally this location could only be access by the user the Android OS created for the app. No other user is able to access this location unless the device is rooted. Then any user can access any location on the phone and manipulate the data.
So if you want to prevent users from cheating you need some way to check if the values in the database are untouched. Perhaps you can store some kind of fingerprint on a server to check this.
Yes, you can do it programatically, as long as you are the developer. Here is the Android docs for SQLiteDatabase.
Here are some links for working with SQLiteDatabases programatically:
From Android docs
From a blog
From another blog
The SQLiteDatabase in an application should be 'sandboxed' to that specific application, meaning that no other application should be able to get to that data, as long as the developer didn't provide access to it with a ContentProvider. So to answer your final question, no, there should not be a way for contestants to manipulate the database, except in ways that the developer has already allowed.
Yes, users can examine and change the database when connected over USB via ADB: http://developer.android.com/guide/developing/tools/adb.html#shellcommands
Update:
This only works on rooted devices or official Google Dev devices: Why do I get access denied to data folder when using adb?
Still, this would allow users to access database and change game results. So you can not rely on databse not being accessible..
Unless you issue the devices to users and you carefully watch what they do with them, to be secure against anyone determined, you need to digitally sign the entries in the database using a mechanism hidden in strongly obfuscated application code. And even that only makes it harder.
Note that using a server does not help unless a key part of the game logic itself is implemented in the server; if the user knows how to fake your signing mechanism to write fake database entries, they can also send fake reports to your server.
You can use Proguard to obfuscate your code.
Also have the database be unique with a particular id according to the device id with some sort of server callback, to validate the database.