I want to know how to encrypt the external storage data (.asec).
Which algorithm is used, AES or another method?
And then what is the encryption key?
If a method to generate encryption key is open source, I think that it is going to cause a problem.
I would be grateful for any information about this.
The Android Open Source Project provides a document describing their crypto implementation.
Basically, they use AES in the Linux DM-CRYPT layer. See the document for full details, including how it interacts with vold.
Related
I was wondering what should be an ideal way for placing API keys, salts, or even private keys for encryption and ship them along with the APK. While doing research on this I saw a couple of methods widely used for placing some of these details:-
Place this info in gradle.properties - This is the simplest solution for placing these details but it is not secure at all. The information stored here can easily be extracted from the APK.
Store it in cpp - Create CPP files in the codebase where these details are placed and write JNIs to extract out these details when needed. This makes it harder for the attacker to extract out these details but it still is extractable
I read a couple of posts of which recommended using Keystore for securely storing this information but while seeing implementation at a couple of places I inferred that it usually stores values in runtime and I didn’t find any details on how to ship some salts or API keys along with the APK.
I wanted to know if there is any way for securely placing salts, API keys, etc along with the shipped APK. Or we can somehow use Keystore for this. Any help or suggestion will be really appreciated. Thank You!
Using this library You can easily secaure your api
https://github.com/MEiDIK/Cipher.so
Read Carefully there installation Process and still have any doubts or error i will help you
I am currently designing a secure file storage Android application as part of a group coursework. I am charged with the security side of the app.
Where can I learn about the the classes and imports that Android offers to implement password hashing, encryption of the stored files and such? I have looked on the android developers site, but it was of little use to me, as I am inexperienced with android.
Thanks.
You can find useful information about Android Security here: http://developer.android.com/training/articles/security-tips.html
Anyway, any app on Android is isolated from the other, so you're basically safe until you keep your data in the private storage (obviously if the user has root permission you cannot avoid the reading of these private files).
If you're going to write file OUTSIDE (as on the SD), you will have to implement some algorithm to enrcypt your files.
You can look for AES encyption in Java: Java 256-bit AES Password-Based Encryption
I am creating an application where I save some privacy documents.
I want to save those files as Encrypted format.
I searched in google for AES Encryption/Decryption alto in C language. Am not able to find standard algorithm implementing AES.
Can anyone suggest me AES Enc/Dec in C ?? please
I would like to use the same algorithm in both android and iPhone
Not really sure what Android and iPhone have to do with this, especially given that you're looking for a C implemetnation, but....
There's ccrypt:
http://ccrypt.sourceforge.net/
Here's a really small one:
http://www.literatecode.com/aes256
A reference implementation:
http://embeddedsw.net/Cipher_Reference_Home.html
Another:
http://gladman.plushost.co.uk/oldsite/AES/index.php
mcrypt:
http://sourceforge.net/projects/mcrypt/
AES is a standard algorithm, so there should be no need to seek a "common" implementation in C. Instead, you should learn how to perform AES encryption in both platforms. Provided you are consistent with your encryption mode and padding, you should be able to interoperate just fine.
Im currently developing a framework for oAuth 1 and 2 access to webservices and my question is, how do i store sensitive data like an oAuth access key in a secure way?
the problem with this keys is that some platforms like twitter use a permanent key and if someone would get access to this key he could do whatever he wants with the users twitter account..
so is it possible to automatically encrypt the data before it is stored in the shared preferences? Or is there a better way/place to store very important data?
UPDATE - ALSO READ: What is the most appropriate way to store user settings in Android application
You can also have a look at this class I made for doing exactly this: https://github.com/sveinungkb/encrypted-userprefs
It uses AES instead of the deprecated and weak DES used in the other suggestion.
1). How to encrypt?
On Android the encryption is done via Java Cryptography Architecture (JCA). Mainly it is the javax.crypto.* package.
JCA Reference Guide
Here is an example of JCA API usage (AES alrorithm in particular).
2). Where to store?
Encryption API manipulates with byte arrays (not strings). This means you can use SharedPreferences, but you'll need to apply Base-64 encoding on the encrypted byte array before putting it into SharedPreferences (otherwise XML parser will fail to read the shared preferences file). Then to read you will need to use Base-64 decoding. Note that by default most Android OS versions do not have a built in Base-64 API (see UPDATE section). So to remove this Base-64 overhead I would recommend just to store your bytes in a private file.
UPDATE: Since API Level 8, the API has android.util.Base64.
I would recommend using Facebook Conceal for encryption on Android almost every time - it's a fast Android library that makes some really sane decisions and leaves you with a few, simple interfaces for actually doing the work.
Bonus! I have recently pieced together the puzzle of how you can use it from Xamarin - see my article on securing your C# app's data using conceal for more information.
You should take a look at Slink.
I came to realize that most of the SharedPreferences encryption tools use encryption for each action you make, meaning that each key-value pair is saved only after both key and value been encrypted, separately. This creates a big performance overhead.
So I searched for a library that will give me a more efficient encryption process and I found Slink. Slink uses Facbook's Conceal library to save the entire map of objects as a whole, making it the most efficient and fast SharedPreferences encryption solution. It also uses common Android's SharedPreferences interfaces, which makes the usage extremely easy and almost seamless.
Disclaimer: I'm part of the development team developing this library.
See duplicate: Obfuscate/Encrypt SharedPreferences file possible?
Hi, I've created a SharedPreferences implementation using AES
encryiption. The project is a maven module. If you need one, take a
look. https://github.com/kovmarci86/android-secure-preferences
Try using our https://github.com/BottleRocketStudios/Android-Vault Vault component. It will use Android's Keystore (on supported devices) or an Obfuscation technique to encrypt values in a SharedPreference file and implements the SharedPreference interface, so it is largely a drop-in replacement.
new encryption introduce by facebook - conceal Encryption.. easy to use
https://github.com/afiqiqmal/ConcealSharedPreference-Android
This article on codeproject contains a nice wrapper for the shared prefs. However the class name SecurePreferences is misleading something like ObfuscatedPreferences would be more appropriate.
There is an Android Library that uses Facebook Conceal to encrypt data.
https://github.com/rtoshiro/SecureSharedPreferences
Maven Central:
compile 'com.github.rtoshiro.securesharedpreferences:securesharedpreferences:1.0.+'
You can encrypt the data in preferences and keep the encryption key in the Android Keystore system. This way your encryption key would also be safe.
You can look into a library doing this
https://github.com/ophio/secure-preferences
I have an Android app that has been already developed using SQLite.
The DB is quite large (over 100 Megs) so it can be deployed only on the SD card.
The data inside the DB is sensitive so for this reason we need to encrypt the DB.
The default SQLite binary on the phone does not allow encryption or to add a plug in (extensions).
I manage to compile the SQLite using NDK with the encryption extension (I am calling this SQLiteS - from secure) but I still need to figure out how to copy the Sqlite API and bind it to the new SQLiteS binary.
The idea is to not change the already developed code using the SQLite default API excepting the package name.
Any idea of how can I accomplish this ?
Tryp getting a native jdbcsqlite driver onto Android.
which makes sqlite3_* calls(JNI).
Use the aapt tool to link the library(sqliteS) into the .apk file.
Also, you can change the sqlite3_* names(in SQLiteS.so you built) so that it doesnt refer to sqlite.so file provided by android.
Let me know the solution.
I know this is not an answer for your question, but you could try the (free, open source) H2 database. It supports data file encryption as well. There are some disadvantages however, for example some operations are quite a bit slower. You would need to use the JDBC API because the SQLite / Android database API is not yet supported. Disclaimer: I'm one of the H2 committers.
Use sqlCipher. SQLCipher is an open source extension to SQLite that provides transparent 256-bit AES encryption of database files.
See http://sqlcipher.net/