Reputation: 161
where to store confidential data like decryption key in android so that it can never be found by hacker
I am creating a app where i need a decryption key to decrypt videos and other data . i need to play videos offline so i need to store the key in the app . So if i use shared pref to store my key or directly in the string it can be easily hacked . and my data will not be secured any more . So where should i keep my key so that no one can find my key on decompiling the app or rooting phone to get to the key. I am thinking about where should i store data
- sqlite
- shared prefrence
- text file
- string file
- static variable
Upvotes: 3
Views: 1780
Answers (3)
Reputation: 26034
There is a way to secure your encryption key in NDK.
Step 1
private static byte[] encrypt(byte[] raw, byte[] clear) throws Exception
{
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
byte[] encrypted = cipher.doFinal(clear);
return encrypted;
}
private static byte[] decrypt(byte[] raw, byte[] encrypted) throws Exception
{
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.DECRYPT_MODE, skeySpec);
byte[] decrypted = cipher.doFinal(encrypted);
return decrypted;
}
Step 2
ByteArrayOutputStream baos = new ByteArrayOutputStream();
bm.compress(Bitmap.CompressFormat.PNG, 100, baos);
byte[] b = baos.toByteArray();
byte[] keyStart = "encryption key".getBytes();
KeyGenerator kgen = KeyGenerator.getInstance("AES");
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
sr.setSeed(keyStart);
kgen.init(128, sr);
SecretKey skey = kgen.generateKey();
byte[] key = skey.getEncoded();
// encrypt
byte[] encryptedData = encrypt(key,b);
// decrypt
byte[] decryptedData = decrypt(key,encryptedData);
Step 3
static {
System.loadLibrary("library-name");
}
public native String getSecretKey();
Step 4
And save in a file using NDK the following function:
Java_com_example_exampleApp_ExampleClass_getSecretKey(
JNIEnv* env, jobject thiz )
{
return (*env)->NewStringUTF(env, "mySecretKey".");
}
Step 4
Now we can easily retrieve our key and use it to encrypt our data.
byte[] keyStart = getSecretKey().getBytes();
Reference : How to store the Credentials securely in Android
Upvotes: 1
Reputation: 158
Create your own directory under the main Android default directory In your directory create multiple directories and hide the file in one of it. Other than the that there is no really secure way
Upvotes: 0
Reputation: 73538
If the decryption key is at any point accessible to the application, it's accessible to any potential evildoer. This is a fact.
If your requirements are:
- Videos encrypted, i.e. only playable through your app
- Playable offline
- Secured so you can't decrypt or view the videos through other means
Then what you have are impossible requirements.
Upvotes: 3
Related Questions
- Android "Only the original thread that created a view hierarchy can touch its views."
- How to encrypt String in Java
- Is it safe to store the encryption/decryption key into a static variable?
- Where to store the decryption key in reactjs?
- Where to specify key and IV value when doing AES encryption/decryption in Android?
- Where to store secret key of the c# application