• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Android Security Essentials Live Lessons

 
paul nisset
Ranch Hand
Posts: 241
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

What security issues would a developer face with an Android app that they would not face with other types of applications?

The one that comes to mind for me is the physical theft of a phone and the data or credentials stored on it .

Thanks,
Paul
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Great question. Mobile apps are really a type of client-server app where the client moves around. A desktop app developer probably doesn't have to worry about about someone gaining access to the app who isn't already logged on the network. But with mobile apps that's not the case. The client may need to be secured and the network transmissions may also need to be secured depending on what the app does. And because Android is based on Java so like Java or C# or any other language that runs on a virtual machine it's possible to decompile it into close to the original code. So with android you have to worry about the static information (such as encryption keys) that you have hard coded in your app, as well as the dynamic information (such as usernames and passwords) that you store on the client / device as well as how you transmit the data back to the server so it can't be read or decrypted.
 
paul nisset
Ranch Hand
Posts: 241
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Godfrey,
That is a good point about decompiling the code.
You raise an interesting question.

I didn't know encryption keys would be hard coded into an application.
I thought they were dynamically generated by an algorithm like MD5 or SHA-256 that is applied to a password.

Thanks,
Paul
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are different encryption keys. What I was referring to is when someone stores a password or other info in shared preferences and rather than put it in cleartext, encrypts it using an encryption key which is hardcoded in their Java code. The code is then decompiled and the password can be recovered using the hardcoded key. I wasn't talking about SSL. That make sense?
 
paul nisset
Ranch Hand
Posts: 241
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sort of.

In general ,I would think it would be bad practice to hard code an encryption key in any sort of software.
It would be subject to a brute force attack. Once cracked ,everybody using that software would be vulnerable.

Is that how passwords are stored on laptops ,like osx's keychain for example -encrypted with common key for everybody?


thanks,
-Paul
 
Godfrey Nolan
author
Greenhorn
Posts: 14
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's not a good idea to hard code it, as someone will find it.
 
paul nisset
Ranch Hand
Posts: 241
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic