I need to develop an Android application where encryption/decryption is done on client side. The data that is transported and stored in the server MUST be encrypted. The problem is that I cannot store the key of encryption/decryption anywhere.
The keys cannot be stored on the client machine. Because the admins (or someone that can access the server) should not have access to the un-encrypted data.
How to generate keys then? Can you suggest some method?
I'll assume that when you say the encryption keys should not be stored in the device, you really mean it :-) Because if that restriction were not there, you could use the KeyStore. However, this will mean the keys are stored on the device, which seems not to be what you want.
So, assuming the encryption keys are external to the device, it's somewhat straightforward as there is not much room for choice: your client app asks the user to input the encryption key in some fashion (up to you), which it uses to encrypt the data, and then forgets the encryption key immediately.
Then it sends the encrypted data to the server, where it is stored. The server does not know the encryption keys so to the server it's just an opaque blob of data.
When the user wants to retrieve the data, they have to provide the decryption key on the spot, since it's not stored on the device.
Related
I want to use one secure key to encrypt and decrypt data on device without saving it in SharedPreferences or DataStore. I want to generate that key using in app authorization (passcode and biometrics).
I know generating secure key with biometrics is possible using AndroidKeyStore. I know I can generate another key by using passcode. Is there any cryptographic way to use one of those keys to encrypt/decrypt local data?
I have tried generating keys with biometrics and passcode. But I could not find a way to encrypt and decrypt data with either of those keys. For example: user logs in and sets passcode and fingerprint. App should encrypt data so it could be decrypted using one of those authentication methods.
I am wondering how do other secure Android apps solve this problem. Can someone provide me an example where could I look into that?
It can be a one time thing, as the passed key can then be stored on the users device via android keystore.
What I'm ideally wanting, is a secure place to store a secret key, that is accessible by my app, which on installing the app, can retrieve and store this key locally.
My immediate thought is using certificates but I don't know too much about them, nor any service that can help me.
Any ideas?
I'm creating a dictionary app. I want to encrypt sqlite database (which has meaning for words) in my PC before creating the app. Then generate the apk file with that encrypted database, so that when somebody unzip the apk file, they only see encrypted database. Each and every time the user searches for a word, then the encrypted "meaning" of the word should be decrypted by the android app. I've gone through multiple threads, they talked about encrypting and decrypting the database in the phone. Please suggest me some safe methods to safeguard my hardwork.
There is no problem. Just encrypt before compiling the app, add the key to the app and decrypt in the app when needed.
Of course a competent attacker will be able to get the key.
Protecting assets from the device owner is very hard and generally requires DRM which is difficult and still not completely secure.
Actually, there should no need to encrypt any data on the mobile side because this sounds incorrect at the first place when you publish things should be secured around the world, you don't know how much the user device itself secure, and the user could be professional enough to crack your app and its security.
If you want something secured, secure it in your backend, and talk with your backend with api secured with https with headers have Auth token auto-generated for each user.
I want to encrypt the database before creating apk and decrypt it when
a user searches for a word.
If you mean decrypt inside your mobile and search inside your sqllite itself, why you encrypt it, if the code inside mobile will encrypt and decrypt, attacker even junior level one, will be able to hack your data!!
My mobile app has users, so after someone log in, I send back the user id to be used for future requests (GET and POST HTTP web service calls to manage user data), and I store it in an sqlite table called user_settings after encrypting it using jbcrypt along with the salt. is this a safe way to do it?
You could use sqlcipher to encrypt the database with a randomly-generated key, created on first startup, that you store in the Android Keystore System.
As #njzk2 said, there is no way to absolutely protect this data. Encrypting the database with a random, unique key, and stashing that key in the keystore, will make things much more difficult for an attacker, even with physical access to the device. In this scenario, the goal is not to keep the attacker from ever accessing the password, but slowing the attacker down enough that the user can change their password before the attacker can use it.
I'm developing an app which will connect to server webservice and exchange data. I want to include auto authentication mechanism in application. I'm not really good at security stuff, so I would like to ask you, how to do it properly. I think, that storing users password in sharedpreferences or database and comparing it with password stored in server is not a good idea, even in encrypted form. I guess that there is some better way to do it, right?
Normally the service will return a key of some sort (typically in a cookie), and you pass that key with each subsequent request. The server is responsible for keeping track of who has what key. And of course the key is very large so its unguessable.
On the server side, never store the password. You store a hash of the password, and when an incoming password comes from a login request, you hash it and compare the hashes. Better yet you should salt your hashes as well. If you aren't familiar with security I'd really suggest you use an existing library rather than writing your own.