In one application I use the Android KeyStore. I have set up a password for the whole KeyStore and for each password entry. Since these passwords are strings they are stored in string members in code. Oviously this is not safe if I want to publish the app, because a potential attacker could decompile an apk and get the password since it is hardcoded in the app. My questions are: In the scenario above: Would the attacker be able to read my keystore file or (on unrooted phones) may the file only be accessible by my app, so that the passwords alone are not sufficient? What is the best practice to handle KeyStore passwords? I looked around but did not find a definitive answer how to handle this. Edit for clearification: I do not talk about app signing but about storing cryptographic keys in the Android KeyStore protected with passwords. The app has to have access to the password during runtime to retrieve the key entries. Example of the current code: String keyStorePwd = "password1"; String keyEntryPwd = "password2"; FileInputStream fis = getApplicationContext().openFileInput("sms.keystore"); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(fis, keyStorePwd.toCharArray()); SecretKey key = (SecretKey) ks.getKey("aes_key_sms_notifier", keyEntryPwd.toCharArray()); fis.close();

androidsecuritypasswordskeystoreandroid-keystore

Reputation: 1081

How to store Android KeyStore passwords securely

In one application I use the Android KeyStore. I have set up a password for the whole KeyStore and for each password entry. Since these passwords are strings they are stored in string members in code.

Oviously this is not safe if I want to publish the app, because a potential attacker could decompile an apk and get the password since it is hardcoded in the app.

My questions are:

In the scenario above: Would the attacker be able to read my keystore file or (on unrooted phones) may the file only be accessible by my app, so that the passwords alone are not sufficient?
What is the best practice to handle KeyStore passwords? I looked around but did not find a definitive answer how to handle this.

Edit for clearification: I do not talk about app signing but about storing cryptographic keys in the Android KeyStore protected with passwords. The app has to have access to the password during runtime to retrieve the key entries.

Example of the current code:

String keyStorePwd = "password1";
String keyEntryPwd = "password2";

FileInputStream fis = getApplicationContext().openFileInput("sms.keystore");
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

ks.load(fis, keyStorePwd.toCharArray());

SecretKey key = (SecretKey) ks.getKey("aes_key_sms_notifier", keyEntryPwd.toCharArray());
fis.close();

Upvotes: 8

Answers (2)

leonapse

Reputation: 244

It is not recommended to store passwords in your APK. Much more when we're talking about keystore passwords. Yes, attackers can and will find ways to read passwords because that's what they do. Read recklessly included passwords in the APK. There's a way specified using gradle on how to store keystore passwords, assuming you use gradle.

PROPERTIES FILE
If you are using version control, modify your .gitignore file to exclude keystore.properties, which is a file that will contain your passwords. Then push it into the repo. Doing this will prevent other developers in a shared project from knowing the keystore details. You can now create the actual keystore.properties file in the root of your project. The file should contain the following:

keyAlias yourKeyAlias  
keyPassword yourKeyPassword  
storeFile pathOfYourKeyStoreFile  
storePassword passwordOfYourKeyStoreFile

GRADLE
After setting up your keystore.properties file, modify your module-level gradle build file by defining a properties variable outside your android { ... } clause such as:

def keystorePropertiesFile= rootProject.file("keystore.properties")  
def keystoreProperties = new Properties()  
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))  

android { ... }

Inside android { ... }, declare signingConfigs { ... } such that:

android {
  signingConfigs {
    config {
      keyAlias keystoreProperties['keyAlias']
      keyPassword keystoreProperties['keyPassword']
      storeFile file(keystoreProperties['storeFile'])
      storePassword keystoreProperties['storePassword']
    }
  }

  ...........  

}

Finally, still inside android { ... } inside of your module-level gradle build file, you're supposed to have buildTypes { ... } clause which contains debug { ... } and release { ... } configs as default. Modify the release configurations such that:

  buildTypes {
    debug {
      *insert debug configs here*
    }
    release {
      *insert release configs here*

      signingConfig signingConfigs.config
    }
  }

Defining signingConfig signingConfigs.config in release { ... } will allow you to automatically sign your APK whenever you choose to create a release build, all of these without storing your keystore passwords in your APK. Cheers!

Upvotes: 17

Neoco

Reputation: 39

It is impossible to make an absolute solution to protect passwords in Android applications (.apk files). But you can try to protect it by:

Obfuscate your source code. Others will take a lot of time to find out the method you used to protect information.
Obfuscate all strings in your source code. All clear-text strings will be hidden, no one can see it easily.

You can do it by two way:

Obfuscate all strings manually, then use Proguard for obfuscating source code.
Use: Bg+ Anti Decompiler/Obfuscator. It's is a new solution for protecting Android Java Source by obfuscating, hiding, faking, checking,... techniques

Upvotes: 2

How to store Android KeyStore passwords securely

Answers (2)

Related Questions