I've got an app that can save stuff you like to Google Storage for Developers. Assuming, of course, that you have an account and associated access keys. Their web based key management tool allows you to create keys and associated secrets. My question is regarding how a user can most easily install these in their copy of my app, allowing them to use the cloud storage.
A key is a 20 character alphanumeric string, and an associated secret is a 40 character Base-64 encoded string. It is clearly impractical for the user to enter these manually. Cut and paste across activities seems way awkward to me. How do you suggest getting two strings from a web page to two activity EditText fields - or to a tmp file I can read and then dispose - or ??
thanks.
The best way to go about it would be the API from Google
If you have access to a web page, there are these values are residing, you can download it, parse, and get these values.
Since it doesn't look like Google provides an API specifically for getting keys, your best bet would probably be to use an HTTP GET to pull the web page containing the keys and secret keys.
If you need to be authenticated with Google to do this (presumably you'd have to be), you could use SignPost to handle OAuth and make secure HTTP requests. After you pull the page, parse through the HttpResponse content and store the keys in a text file or a SharedPreferences file.
Related
I’d like to store a key->value structure of data e.g.
2354235 => string1
3453453 => string2
The structure has to be defined at build time and not modifiable over the runtime (security reasons). It must be stored securely (readable only by the app). Storing that in source code and in sqlite db are not acceptable. Any other ideas?
You are asking two things:
1) Where can you store that at build time, outside of code or DB.
2) How can you make it only readable by the app.
For 1), I suggest you just use an encrypted raw file (place it in /res/raw). They cannot be modified, and it could be just CSV or JSON. Check the javax.crypto package for the necessary classes for encription.
For 2), it depends on how secure you want it to be. You could download the decryption key from a server using a secure connection, but then you need to be sure that what's connecting to the server is really your app. You can use something like what's described here for validating your app in the server:
Summary
Doing this is a multi-step process, which I’ll outline in full, but here’s the short version: You use the GoogleAuthUtil class, available through Google Play services, to retrieve a string called an “ID Token”. You send the token to your back end and your back end can use it to quickly and cheaply verify which app sent it and who was using the app.
I am learning how to build android apps. I'm building my first app using PHP and Java, i'm passing the values from Java to PHP using parameters.
localhost/myfile.php?id=GET ID FROM JAVA EDITBOX&name=GET NAME FROM JAVA EDITBOX
I'm inserting and updating using this method.
But i'm afraid about my app security, how can i hide my links? I would like to insert some security technics to prevent a common user from having the access to my links, and insert random data into my database.
I'm sorry about that noob question, but i would like to read more about that.
how can i hide my links
No way because APK file can be de-compiled
I would like to insert some security technics to prevent a common user
from having the access to my links, and insert random data into my
database.
You are allowing Un-authenticated users to insert the records??? If you are doing this, you are doing it wrong (I think)
You should allow Authenticated Users to Insert/Delete/Update records and
Un-authenticated users can Load data only.
Some Security Practices:
Authentication (Login) / Authorization (Permission)
Don't trust any data sent from client --> Data Validation at Server side is required
Use Asymmetric encryption - Public/Private key
Encrypt your data at client side using Public key
Decrypt the data at Server side using Private key
Apply Digital Signature OR MAC (Message Authentication Code) to make sure your data is Integrity & Authentication
Https used
I don't understand what the hacker can see and cannot see when he enters in a mobile app, for example android. He decompiles the .apk, then sees some .class files. If for example, I encrypt a key/value pair in a file, I still need to call this key from the code, and if the hacker can see the code, no matter if the key is encrypted, he will know which key I am calling?
My goal is to keep some encrypted string in my app, for example the twitter account Id of my app.
Some topics talk about " a private key to read, what was encrypted with a public key ", but if I use them, I still need to store them somewhere in my app...
Don't completely understand your requirement but the rule-of-thumb is always assume that client is not to be trusted.
You have to ensure that
All decryption should be done in your server (which you trust).
The client should never be able to access the decrypted data (unless you want it to). Hence whatever part of your code that needs to directly access the decrypted data should be in the server.
The client should have only the encrypted data (if it must store data).
The client should not be able to access the private key you used to encrypt the data.
If in your case your client must be able to access the critical data directly, then your only resort is to use obfuscation techniques (Basically hiding your data/code, to make it hard to find/understand). Of course all obfuscation techniques can be defeated eventually by a determined hacker. You have to decide how valuable your data is, what are the probabilities a hacker will try and access your data.
To take an extreme example : storing your twitter account and password using obfusucation is very bad. Storing a twitter-url- might not be so bad.
you can get your keys from server while launching app. and also dont manage in app purchase detail in sharedPrefrence or Sqlite. because in rooted device user can see that data file from root browser or sqlite editor application so user be able to change value.
A very determined person can crack it, but it's a major pain to crack encrypted strings and will stop most hackers. Especially if you obfuscate your code with something like ProGuard.
Answer to a similar question for details on how to encrypt
I have an Android application and within it some strings which I send through htpps. Is it possible to encrypt those hardcoded strings (such as for example passwords) in Android application to be unreadable from the apk file?
Regards,
So if I understand your question correctly, you want to store encrypted strings within the Android apk file (in strings.xml for example). If this is the case, yes, you can absolutely store encrypted strings wherever you please.
The kicker is that in order to decrypt these strings, you'll need a key. Wherever you end up storing the key becomes the weak link in this chain. If your app is reverse engineered and someone gets a hold of the key, your strings are no longer encrypted.
So to answer your question, no, it's not possible to do what want.
Check out What is the most appropriate way to store user settings in Android application and a whole bunch of other question. Basically you can obfuscate and encrypt to some extend but you will never be completely safe on a rooted device and against network sniffing attacks. That said though that applies everywhere.. find your best compromise between level of effort to implement and crack and the data you are protecting.
I think you should explain what do you want to do with this strings.
If you want just send password to server and make some kind of authorization, you can use MD5 or some other hash function to hide thode values. Hashed password can be compared with hashed password at the server side.
If you want to send encrypted text and decrypt it at the receiver side then you have to use some encryption algorithm, e.g. DES (some kind of encrypting key will be needed).
What would be the best most secure way to handle confidential text in an Android app?
The basic structure is (text/int) and some similar variations of it.
The app only shows a selection of the (readable text /readable int) at a time, so decryption will only be done for very few pairs at a time.
I need to make sure that extracting the complete (text/int) information is practically impossible - if possible :-)
Is there any standard library/scheme to handle this?
Many thanks
EDIT (after getting some very interesting responses to this question):
It seems that even when the data is encrypted one could easily take the de-compiled code from the app, combine this with a self-written extraction routine, and hereby get all the decrypted info to a file. Since the encryption key has to be provided to users of the app, everybody could potentially get to the data this way.
So in summary there is no real good solution?
You can save your text/int pair into the SharedPreference.
Because it's not secure, you can encryt the data before saving it into the SharedPreference in the same way as Google do in the Application Licensing package.
More details can be found in the Implementing an Obfuscator part.
The code source of the AESObfuscator can be found in the SDK in the market_licensing/library/src/com/android/vending/licensing folder.
I think in your application you can use a symmetric cryptography and you can store your key in the Keystore. This key should be protected with password. Every time, when you run your application, it will ask the user for the password. If the password is correct then the key is extracted from the Keystore and used to decrypt your data. In this case, there is no difference where you store your data (text/int pairs) because all data will be encrypted. For Android SDK look at the package java.security and to the class java.security.KeyStore
If you want to supply your application with the data that you don't want to be extracted then obfuscation is a possible solution if you write in Java. If you want this functionality to be written in C/C++ then use Android NDK.