I have to store the private key of my app in a secure location in the android device, i read about certStore, but it doesnt allow to store a file in it.
Is there any location where I can store it securely and doesn't get deleted if app re-installs.
You can store the key in the Preferences of your App. This will protect the key from
getting read by other applications because of the underlying file system restrictions of
the Android system.
But this won't protect the key from being read by the user itself.
and if you want to use this shared preference after your application removed and again installed in device then try for Android Backup Manager.
I think its help you in re-installation of your activity's data.
EDIT: Android (unfortunately) does not provide a way to do so. The approach I've used
before is to encrypt this token with another key generated within the app.
Your app key can be algorithmically generated. This, however, is only as secure as
your algorithm. Once that is known this is equivalent to storing the token in plain text.
Thanks.
Related
Is there a way to store a secret key (e.g. API key) in flutter?
Use-case:
When registering a new user on my app I need to talk to my backend. Since I only want devices that I know to register users, this backend has only authenticated endpoints. Which means I need to have an API key to authorize the app.
I know you can store environment variables or configurations inside config file or user secrets in a encrypted database but there are a some problems with that in this case:
config file can be recovered with all of its content by just unzipping the apk file which means there are no real secrets there...
To have a secret in a database, you need to put it there first which is not possible before runtime.
I'll probably use environnement variable, and also, I'll obfuscate my Dart code.
There is multiple tutorials, but i'll send you the one from the documentation:
https://flutter.dev/docs/deployment/obfuscate
I want to encrypt my Realm database and store the key in a secure location.
I have been doing some reading and it seems that storing in the Android KeyStore may not be the best idea since it's based on a device's screen lock.
Moreso, some articles say that if the screen lock is changed between pin, password or pattern, all the keys stored in the Android KeyStore are lost and have to be recreated again.
Is there a more secure way to generate the keys and store them in a different location?
What you can do is encrypt your key using whatever algorithm you want (not a deprecated one, obviously) and store it in the internal storage of your app, so it will be private and neither other apps or the user will be allowed to access it.
I have an Android application that sends info to a server, but needs each user to have an assigned API key that they use. The apk build is, therefore, universal, but I need to attach a unique config file to the download containing the API key.
SharedPreferences (or SecurePreferences) is ok for writing and reading from the app on the device, but not for sending down a pre-configured file?
*.properties needs to be compiled with the app?
AndroidManifest.xml meta-data, this is just used at build time?
What's the best way to have the unique API Key downloaded, have it stored somewhere private to the app, and accessible to the app?
What's the best way to have the unique API Key downloaded, have it stored somewhere private to the app, and accessible to the app?
You should get API key specific to user/app on successful authentication or login, then after you can store retrieved key in your SharedPreference of the application.
Set SharedPreferences mode as private mode so other application can not read/write it.
Is there any understandable examples of using KeyStore in Android?
I can't really understand how do I have to protect my password/token/anything_else in Android application in ROOTED device from being used by hackers who have physical access to the device.
I understand i can generate KeyPair with some ALIAS, and use it's private key as database password for example, but I'am interested in: can any hacker read this ALIAS from my decompiled apk(because i can't obfuscate alias string) and build another app which uses same ALIAS to get privateKey from android KeyStore?
Any solutions?
I can't really understand how do I have to protect my password/token/anything_else in Android application in ROOTED device from being used by hackers who have physical access to the device.
You can't. Client Authenticity is Not the Server's Problem.
Let's say you store an encrypted value in your app rather than storing the value directly. Where's the key to decrypt this value? The app will necessarily need to decrypt this value. Now all a hacker needs to do is download your .apk, plug it into Lobotomy, and they will quickly figure out what's going on.
You're better off simply never placing sensitive information on the device itself, if you want to hide it from the people who run your software.
Do you need to store the key in the app?
What if at first install you ask the user to set a password, you encrypt your SQLCipher DB with that key (maybe hash it too) , then every time, when the user starts the app, you ask the password.
I'm writing simple offline dictionary application. All data is stored on SQLite database.
If we assume that database is encrypted, app must use some kind of key, in order to have access to it. Also, we assume that this application is completely offline and does not access to any remote servers.
That means that key will be stored in apllication itself. I was trying to find out a lot of methods of hiding this key in app and all of them are flawed.
Is it even possible to hide this key implicitly in app itself?
If the app automatically displays data, it is not possible to protect that data.
Your app must store the key somewhere. Regardless of how much you try to obfuscate your code, it is still possible to decompile it (or just execute the obfuscated part, until the key comes out).
Or looking at it in a different way: hiding the key is a form of encryption. So now you need a second key to encrypt/decrypt the first key. (But with obfuscation, the 'key' is the program structure, which is less secure than a real cryptographic algorithm.)
The only way to protect the data would be to avoid storing the key by requiring the user to enter the key (as a password, or some separate token) whenever the app is to be used.
This implies that the user is trusted not to give the key away.