• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Android Security Essentials LiveLessons: Password Encryption

 
john paul lowe
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good afternoon,
I am doing research for our application and am evaluating alternatives for storing credentials for a web service on the device. Does anyone have any preferred methods for accomplishing this task? Thanks!
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Safest way is to store the API key or username/password encrypted using a public key on the device and then send it to a backend server to decrypt it using the private key via SSL.
I use Google's keyczar to create the public/private key. It's an extra lookup but it keeps the information from being compromised.
I've also seen people put it in the Account Manager but the public/private key in my opinion is safer.


 
Ross Crockett
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I'm missing something, as couldn't someone root their phone, decompile the code and see the encrypted credentials and the location to send it to be decrypted? Do you have a link to an example of where this is done so I can see how it all hangs together?
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There's synchronous and asynchronous encryption, synchronous encryption uses a single key. Like you point out that's not good as someone can decompile it and get the key and decrypt your data. But asynchronous which uses a public/private pair. It doesn't matter if someone gets the public key when they decomiple your file as all they can do is encrypt the data not decrypt it, only the private key can do that and that happens on the server not on the phone. I'll put something up on github tomorrow so you can play with it.
 
Henry Wong
author
Marshal
Pie
Posts: 22124
88
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Godfrey Nolan wrote:There's synchronous and asynchronous encryption, synchronous encryption uses a single key. Like you point out that's not good as someone can decompile it and get the key and decrypt your data. But asynchronous which uses a public/private pair. It doesn't matter if someone gets the public key when they decomiple your file as all they can do is encrypt the data not decrypt it, only the private key can do that and that happens on the server not on the phone. I'll put something up on github tomorrow so you can play with it.



Just being pedantic... I think the correct terminology is Symmetric and Asymmetric Encryption.

Henry
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah, sorry of course you're right.
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I put some code up https://github.com/godfreynolan/Keyczar which hides an API key using KeyCzar. The API key is in the res/xml folder in the Android code, it's already encrypted in this case and is sent back the server so it can be decrypted using Keyczar. I'll put up a password example next.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic