I recently found that the databases of Android apps are totally exposed. That said, my configuration is exposed, I save there passwords.
So, now my doubt resumes on java code.
String value = "example";
This could be an example where I store a password to pass by reference to webservice.
People, with some kind of software (like this example Is there a way to get the source code from an APK file?) could be able to get all the code? (I tried to follow the steps without success)
I read about http://developer.android.com/tools/help/proguard.html, how do I know that it's already implemented in my project?
When you create an Android project, a proguard.cfg file is
automatically generated in the root directory of the project.
I checked my root directory and I don't have that file.
Thank you guys.
Obfuscation does not guarantee that your code won't be de-compiled. people who get your apk will still be able to review the code (although the flow of the app will be significantly more difficult to understand). Function names, variables and class names are changed but the code is still viewable.
password and other sensitive information should be kept in Android's keychain , where it's protected. never save passwords in a configuration file (preferences file).
You can look into encrypting your local database with sqlcipher. Proguard obfuscates code but will not hide your passwords if you have them hardcoded anywhere, it is not a tool to be used for security[reference]. Also all of your network traffic is vulnerable unless you use some sort of TLS.
As you describe your app now it is trivial to get the passwords in your app.
You can use char[ ] instead of string data type for storing sensitive values like password. This will make it difficult to recover if someone takes memory dump as value is not present string literal pool if used char[] data type.
Related
I have looked at this answer provided here, and here, and here
The answers provide some useful information but I wanted to know if there are better ways to do it.
I have built my apk and I used pro guard, but when i decompiled the apk, everything was the same as they were before the compression.
The name of the classes and some variables were obfuscated but a Newbie could have looked at the code and would understand how the app works.
In my app I want to hide the core network communication between the app and the server. For example, the address of the server, the JSON format etc.
I came across something as way to protect from decompilation is putting the java.class files into jars and then signing them and then add them as a library to my app.
My question is:
Is it the correct way to do it ie. using the jar signing ?
No. Jar signing is used to make sure the file isn't tampered with. You can still decompile it.
Rather than wasting time worrying about decompilation, you should concentrate on something useful. Obfuscation is used to save space in Android, not to prevent people from looking at your code. Besides, did you really create something so special that you need to protect it? (Be honest now)
I'm writing a small Android app and I need to hide some variable values. I have a API key I got from the content provider who is providing me content to show in my app that I need to retrieve data from them. Because it is being used in an encryption algorithm, it is of vital importance the code isn't leaked.
I need to save the API key in my code and be sure it isn't retrievable by the bad people in the world. What I do now, is save them in my code as a variable:
private static final String API_KEY="mysupersecreatapikey";
After the app is compiled to an APK file, this is, in my opinion not retrievable anymore. Am I doing it in the right way now, or is there a better solution?
Thx in advance,
Daryl
You could store the API key in a file located in storage. You can encrypt the API key when you write it to the file and then you can decrypt it when you are reading it (upon program execution)
If you put the API key into the client in any form that can be used by the client it will be possible to get to it somehow. Maybe by unwrapping the APK and decompiling the code, maybe by traffic sniffing. That private static final variable for example can likely be extracted by a decompiler (if it's bytecode).
If you want to make really sure that none of your users can get to the API key then your app shouldn't be using it directly. Instead have it connect to a web service you set up that serves session IDs for example. That web service that runs on a server that you have control over (quite a few options) would then be the only piece of software that knows the API key.
But depending on the use case this might be a complete overkill solution to this problem.
I am writing an SDK for Android that will be used by many different apps. Each app needs to know if there is a previous installation of another app that uses the SDK; the first one will create a random id (a cookie) and store it, all later apps have to read it and reuse it. Note that the cookie will be created anew for every device.
I have searched for a long time for the answer; please read thoroughly before answering because I have read lots of different StackOverflow answers and have scoured the internet reading random blogs; I have tried a lot of things but none worked (I will save you the links).
A ContentProvider is definitely overkill. Also it needs to intrude an app's AndroidManifest.xml, something I am trying to avoid.
Likewise for a service: needs to be defined in the AndroidManifest.xml, which I do not control and do not want to require changes to.
Using external storage would perhaps be an option, but I don't want to require additional permissions.
Using SharedPreferences directly with getSharedPreferences() does not work because apps can only access their own preferences.
I can get a common preferences object using createPackageContext(package, MODE).getSharedPreferences(). This would work beautifully if I had a main package and many clients of the data, but in fact I don't know the package of the app that will be installed first -- it can be any of them. I don't even have a list of package names to search. Passing a package name which has not been installed fails.
Following the approach above, I have tried to piggyback on some standard Android app which I can count on, and store my preferences there -- say:
createPackageContext(
"com.android.browser",
Context.CONTEXT_RESTRICTED)
.getSharedPreferences(
"GLOBAL_PREFS",
Context.MODE_WORLD_READABLE);
but it does not work: the error reads
Couldn't create directory for SharedPreferences file
/data/data/com.android.browser/shared_prefs/GLOBAL_PREFS.xml
So, to recap: I need to store a piece of data (a short string) in some standard location, so that any other app can go there and read it if present, and it should work if at all possible without doing any magic in the AndroidManifest.xml or requesting any permissions.
There probably isn't any perfect answer, so perhaps the best solution is to write to external storage; then so be it. To put things into context, apparently it is trivial to do this on iOS using a keychain, designed to store secure data.
Unfortunately there really isn't a great answer for this that I know of. You've come up with a pretty good outline of your options and the best way may well be with external storage.
Just to throw something out there, I suppose it's possible you could use a flat file with a fixed name and world readable (and possibly writable) permissions. You'd have to then iterate through all applications' directories and check for this known-named file in each folder and attempt to open it.
While this might work theoretically, consider the case where the app that contains the "cookie" is uninstalled. Then you're left cookie-less. You might want to create the cookie in every app, copying over the value of the previous cookies to new cookies.
I haven't actually tried this, but I imagine it should work.
The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.
I was wondering what's the security of Android's resources folders (I'm especially concerned with strings). I know, I know, it would be ridiculous to store a password in Strings.xml. It's not like that, but how easy it is to snoop on these resources, to access sensible app info?
Unfortunately it is pretty easy to get to the resources. Tools like apktool enable to do that. I have raised a similar question here. You may want to take a look.
Easy on a rooted phone. Expect anyone can read your string resources shared preferences, etc. I just hooked up ADB, changed to /data/data/com.tumblr/shared_preferences and read my username and password in the clear.
You can also download and decompile the apk. If you need to keep it secret, encrypt it.
The primary rule of thumb here is that ANYTHING stored on the device is open for sniffing and cracking.
There is no such thing as local security against those in physical control of the device.
Even if you encrypt it, the keys for decryption have to exist on the device or be easily accessible by the device.
As a side note, this is the number one reason for features such as Remote Wipe.
So, if you plan on storing something sensitive or just plain don't want a slightly interested user to see the data you've stored on the phone, then you're out of luck.
I know that the xml files are scrambled in the apk, but there is a hacker tool for unscrambling them back to plain text. I can't remember the name of it but I found it OK via Google. It works unfortunately!