Reputation: 6176
Where to store my keys to encrypt data on mobile?
I don't understand what the hacker can see and cannot see when he enters in a mobile app, for example android. He decompiles the .apk, then sees some .class files. If for example, I encrypt a key/value pair in a file, I still need to call this key from the code, and if the hacker can see the code, no matter if the key is encrypted, he will know which key I am calling?
My goal is to keep some encrypted string in my app, for example the twitter account Id of my app. Some topics talk about " a private key to read, what was encrypted with a public key ", but if I use them, I still need to store them somewhere in my app...
Upvotes: 2
Views: 1733
Answers (3)
Reputation: 1263
A very determined person can crack it, but it's a major pain to crack encrypted strings and will stop most hackers. Especially if you obfuscate your code with something like ProGuard.
Answer to a similar question for details on how to encrypt
Upvotes: 1
Reputation: 635
Don't completely understand your requirement but the rule-of-thumb is always assume that client is not to be trusted. You have to ensure that
- All decryption should be done in your server (which you trust).
- The client should never be able to access the decrypted data (unless you want it to). Hence whatever part of your code that needs to directly access the decrypted data should be in the server.
- The client should have only the encrypted data (if it must store data).
- The client should not be able to access the private key you used to encrypt the data.
If in your case your client must be able to access the critical data directly, then your only resort is to use obfuscation techniques (Basically hiding your data/code, to make it hard to find/understand). Of course all obfuscation techniques can be defeated eventually by a determined hacker. You have to decide how valuable your data is, what are the probabilities a hacker will try and access your data. To take an extreme example : storing your twitter account and password using obfusucation is very bad. Storing a twitter-url- might not be so bad.
Upvotes: 1
Reputation: 10876
you can get your keys from server while launching app. and also dont manage in app purchase detail in sharedPrefrence or Sqlite. because in rooted device user can see that data file from root browser or sqlite editor application so user be able to change value.
Upvotes: 1
Related Questions
- Android credential storage: Where to save private keys?
- how to securely store encryption keys in android?
- Where to store AES Key and Data using KeyStore?
- Android KeyStore to store the SecretKey for encryption/decryption
- What is the best place to store secret keys in an Android app?
- where to store confidential data like decryption key in android so that it can never be found by hacker
- Secure place to save encryption keys
- Where do we store key/passphrase/salt for encryption?
- android where to keep encrypted files
- Where to store keys of encryption algorithm?