I am completely new to android. What I wanna do is, from a given textbox, I want to get the number, encrypt it with a key stored in the android app (which increments each time the user does the encryption) and then pass the ciphertext through sha1 and then print it back on the screen. Can anybody give me some basic help?
I don't understand what is incrementing, but I will give a shot.
You can use BouncyCastle (how to add bouncycastle algorithm to android) for the encryption, and then just use base64 on the SHA1 (which is weak) hash in order to have it be printable.
The only trick is how you get the key on the Android, your best bet may be to have it be generated on the device.
Related
What I want to know is can a signed apk be extracted and edited? And can the attacker again compress the apk and attack a victim?
I know that we can use proguard to obscure the code but some people said that the apk still can be extracted and modified through reverse engineering.
My main concern is I want to encrypt my java files because I have some authentication data in my java files.
Can anyone give me a bulletproof method to protect java files from being inaccessible.
Edit -
Found few old thread in stack but they never explained about signed apk and protect them from getting exploited.
Yes. Cryptographic signing is not encryption. Signing proves that whoever signed it knew a secret key. Assuming the key is kept secure, you can be sure that two files signed by the same key are from the same person. With some forms of signing with public and private keys, it can be used to prove the identity of the signer. This does not provide any protection against reading that data, although it does provide protection against a counterfeit copy of the app being claimed as the real thing (assuming the user pays attention to the signature).
There is no way to do what you want to do. In the end, an app has to be run by a processor or interpreter. That means it needs to be translated into instructions that the processor understands. If you want something to be secure, do not put it on a client device. There is no way to protect it if you're sending it to a device that needs to decrypt it and use it.
Any APK can be decompressed and have its sources read. You cannot, however, edit it and sign it without the signing key.
There is no way to encrypt your source files and everything inside of them is readable by anyone. Authentication data shouldn't be stored in an application if it is expected to be secret.
signed apks can easily be reverse engineered. You should never place authentication data in the source code. There is no bullet proof solution for this. However you can make it difficult for the attacker by encoding and not placing your critical data in obvious places.
You should use another way to use your authentication data, I've read something about building a binary and storing inside the lib directory as a .so file, I'm not sure how exactly it's the proccess because I didn't tried, but you can research another methods, storing private data on Java source it's not secure.
I need to make an app where you will open a PDF document, show it to a customer and he will electronically sign it(write his signature on a tablet).
From what I read you need the data from the signature being created (time stamp, pressure and time from drawing) and attach it to the PDF.
But is this enough? So to open a canvas, read the data and attach it to the PDF with the signature image itself or do I need to digitally sign the PDF as well? If this is it enough, then where to attach all that additional data(time stamp...)? - I plan on using itext library.
There are lots of aspects coming with your question. In the end it all comes down to your/your customers requirements of the process. Let me illustrate what you can do:
Firstly: There is a difference between a digital signature and a handwritten representation of a signature - although you can combine both...
Solution I
Capture the signature image (from a canvas), create an image out of it
Put the image into the PDF
Solution II
Same as above
Create a standard PDF signature field, set the signature-image as its appearance and digitally sign the field and thus the document (you need a certificate for that, but it can be self-signed). The timestamp (and further infos like location, reason etc.) can also be added and are part of the signature
Solution III
Same as above
Also collect the so called biometric data of the signature (x,y coordinates, pressure like you mentioned (however not always available) and timestamp for each coordinate pair
Encrypt the biometric data and add it to the signature field (strongly oversimplified)
Same as step 2 from above (cp. Solution II)
Solution IV (Update)
As you mentioned in your comment you want an eIDAS compliant signature:
"I do not need it to be digitally signed what I need is basic e-signature that is valid underneath eIDAS"
To make it clear: eIDAS is a way to digitally sign PDF documents.
Same as above
If you want an eIDAS compliant eSignature you also need a certificate. There is no way around it. But the certificate can be self-signed so it shouldn't be a problem. The rest is the same like in Solution II (step 2)
There may be other combinations (e.g. using qualified certificates from a smart card etc.) but in the end only you can decide what's the right solution for you. It depends on your requirements, your countries regulations and the legal necessities of the contracts you want to sign.
What are the differences of the solutions?
The first solution doesn't provide any possibility to verify the authenticity of the signer nor does it ensure that the document wasn't altered after the signature-image was added. Solution II provides exactly that however if self-signed certificates are used the signer cannot be identified (anybody could have signed that document). To prove that, you have to use qualified certificates or go with solution III.
Last remarks:
If the signer should sign at a certain place it makes sense to add empty signature field(s) when creating the document. Then when opened in your application a user can click on the signature field he wants to sign.
There are many existing solutions you could use exactly for that use case. Thus you also have to ask yourself: Why to reinvent the wheel?
Most of those solutions also don't directly sign the document on the (android) client but do the actual signing on a central server. Using that approach you don't need to re-implement you solution for each platform (iOS, windows phone, Webbrowser on a desktop pc etc.)
I had stumbled upon this simple question of what is the best way for me to open a database or use a service which is secured, in the sense, will work only when correct password is provided.
I have looked at SharedPreferences as a way of retrieving information,but i need to create an app which will store the password in the first case, which by itself means i need to write it on code somewhere or the other
Account Manager is yet another way i've considered.
Store the actual password in an AES encrypted format, in a file, or in an sqlite db. But that means the key will have to be in the code.
I would've thought that this is a fairly common problem that people face and i'm wondering how people solved it!
In my opinion you can encrypt your data using AES encryption. But the main problem is the key is not safe. APK can be decompiled. So there is a method to hide the key. Implantation is bit difficult. Use native coding (NDK). You can write your key in a C file and after compilation you get a .SO file. This file can be included in your project. Make a call from java to a C function and return the key. But another problem is the strings written in C is visible when you open the .SO file. So assign generate ascii code of your key and make a string using the ascii code in C.
I signed my Android app with a keystore a couple years ago, now need to update it, and have forgotten the password that I used. I know it was probably a simple password, so is there any way to extract the hash of the password so I can brute force it?
I have been working with Patator to brute force the keystore but it seems like Patator can only try candidates from a list, not generate new candidates. But if I can get that password hash it seems like it would be an easier problem to solve.
Or if anyone knows anything else about brute forcing a password from a keystore I am all ears.
It's not that simple, but if you want to have go at it, the format is here: http://metastatic.org/source/JKS.html
You can also find relevant source on that site (for the store implementation, but you should be able to modify it try new things).
Getting the hash would only help you if use a rainbow table (precomputed hashes for common words/passwords). Since the JKS implementation has a salt (of sorts), you probably wouldn't be able to use a ready made table, and generating one would take about the same time. If you are sure it's simple, try using a larger dictionary. If it has numbers, symbols, combine the dictionary with those.
Or just publish the app again.
Actually I am new to android. Can we encrypt a folder which
contains sub folders and files in sdcard and decrypt it back ?
Any Help will be greatly appreciated.
Thank you.
How new are you to Java in general? You can use all the javax.security and javax.crypto classes (like Cipher) in Android to provide data encryption/decryption.
Keep in mind that files on the SD card can be accessed by the user directly (either by mounting on a PC and exploring or through File Manager apps), which means there is a chance that, while they may not be able to read the data in the file, a user could theoretically delete the directories you create there if they so choose...and that may not be kosher for your application.
Also, there really is no way to simply set up a folder as "encrypted" and automatically have any file there be protected for you. You would need to create the directory you want to use, and then encrypt/decrypt each file as you write/read the data.
Hope that helps!
If you're trying to encrypt data private to your application, and not the user, then you would need access to a key/token/nonce to unencrypt. Unless you're doing the encryption remotely or using the Android NDK it would be trivial to obtain the key/token/nonce and unencrypt it. Apk's aren't compiled and can easily be unpackaged and the source viewed.
You certainly can encrypt and decrypt data on Android as explained in the other answers. But consider the "doing" gets more complicated.
1) Use DES and a 56 bit key and you do not need an export license in the US. Use AES or TDES with 128 or 256 bit key and you may need to start filling out the paperwork :)
2) Unless you want the user to enter a passphrase exactly equal to the key size you may want to seed and then multi hash the passphrase using say SHA256.
3) You may need to encode the cipher data into a 64 bit character set (letters upper and lower case, numbers,+ and /) as cipher text. This usually takes groups of three bytes, expands them to four bytes with = as a pad when needed. Just search the internet for base64 encode decode algorithms.
4) You may want to add a LEVEL OF INDIRECTION into the scheme so that the user can change the password at a later date WITHOUT changing the file symmetric key. So there are two encryptions, encrypting the file with a random symmetric key and then encrypting the random symmetric key with the users passphrase. UGH.