Reputation: 16806
Prevent server from communicating with unofficial android clients
I have a project where my server needs to send a super-secret encryption key to an android application. The secret key is used by the application for symmetric encryption to communicate with an approved, official bluetooth device. It is essential that this key is not discovered, as it would allow anyone to communicate with the bluetooth device outside of the application.
My question is, how can I protect this secret key from being discovered. I know that I can use SSL to communicate between the server and android application, and I can make sure the secret key is never actually stored on the android device.
But what techniques can I use to ensure that it is my unedited android application communicating with the server and not another application masquerading as my own, trying to get the secret key?
Upvotes: 2
Views: 324
Answers (2)
Reputation: 14472
I don't believe that you can do this, without a custom version of Android. My reasoning is that in order to determine if the calling app is genuine, it must send something to the server, SSL or not. That something must be derived from the app and whatever it is (package name, IME etc), it can be spoofed.
The best you can do is to encrypt that something and obfuscate the key needed to do the encryption but then, you are into the cost of reverse engineering versus the reward of getting your key.
Even if that cost is worth it, what are the chances that someone would expend the effort to crack your security and have knowledge and proximity to the Bluetooth device?
Upvotes: 0
Reputation: 1007218
But what techniques can I use to ensure that it is my unedited android application communicating with the server and not another application masquerading as my own, trying to get the secret key?
By definition, this is impossible.
Take your app. Change an uppercase A to a lowercase a in some string. Run that revised app. This is "another application masquerading as your own", one that is perfectly capable of talking to your server. Any other "application masquerading as your own" merely has more changes to it than the case of one letter.
Hence, you have two main choices:
Use obfuscation techniques, both automated (ProGuard) and manual, to try to hide the communication with your server, then hope that nobody has the itch to scratch to still try and reverse-engineer it. You can check out the approaches people use to protect their app licensing code (e.g., LVL) for specific techniques. More advanced obfuscaters, like DexGuard, may help. However, technically speaking, somebody still could reverse engineer the app -- are you are doing is making it harder.
Come up with a business model where you do not care what applications interact with your Bluetooth device.
Upvotes: 1
Related Questions
- How to prevent access to my server by unauthorized clients
- Make server accept connections only from Android app
- How to avoid interceptions of the connection to the server in Android?
- Protect Android App against Network Sniffing
- Protecting data sent between android device and server
- How to prevent reverse engineering apk to get server login?
- Securing Client / Server data. (Android)
- Android secure/encrypted sockets
- Secure android communication with a server
- Android secure server client connection