• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Android Security Essentials LiveLessons: Password Encryption

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Good afternoon,
I am doing research for our application and am evaluating alternatives for storing credentials for a web service on the device. Does anyone have any preferred methods for accomplishing this task? Thanks!
 
author
Posts: 14
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Safest way is to store the API key or username/password encrypted using a public key on the device and then send it to a backend server to decrypt it using the private key via SSL.
I use Google's keyczar to create the public/private key. It's an extra lookup but it keeps the information from being compromised.
I've also seen people put it in the Account Manager but the public/private key in my opinion is safer.


 
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I'm missing something, as couldn't someone root their phone, decompile the code and see the encrypted credentials and the location to send it to be decrypted? Do you have a link to an example of where this is done so I can see how it all hangs together?
 
Godfrey Nolan
author
Posts: 14
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's synchronous and asynchronous encryption, synchronous encryption uses a single key. Like you point out that's not good as someone can decompile it and get the key and decrypt your data. But asynchronous which uses a public/private pair. It doesn't matter if someone gets the public key when they decomiple your file as all they can do is encrypt the data not decrypt it, only the private key can do that and that happens on the server not on the phone. I'll put something up on github tomorrow so you can play with it.
 
author
Posts: 23958
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Godfrey Nolan wrote:There's synchronous and asynchronous encryption, synchronous encryption uses a single key. Like you point out that's not good as someone can decompile it and get the key and decrypt your data. But asynchronous which uses a public/private pair. It doesn't matter if someone gets the public key when they decomiple your file as all they can do is encrypt the data not decrypt it, only the private key can do that and that happens on the server not on the phone. I'll put something up on github tomorrow so you can play with it.




Just being pedantic... I think the correct terminology is Symmetric and Asymmetric Encryption.

Henry
 
Godfrey Nolan
author
Posts: 14
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yeah, sorry of course you're right.
 
Godfrey Nolan
author
Posts: 14
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I put some code up https://github.com/godfreynolan/Keyczar which hides an API key using KeyCzar. The API key is in the res/xml folder in the Android code, it's already encrypted in this case and is sent back the server so it can be decrypted using Keyczar. I'll put up a password example next.
 
Grow a forest with seedballs and this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic