How exactly SQLCipher for Android Application works?
http://sqlcipher.net/design/
As i understood it all depends on PRAGMA key and this key should be saved on app, maybe in binary.
However this is insecure as alomst everyone could decompile .apk file on rooted phone.
Maybe i missed something ?
Thank you.
As i understood it all depends on PRAGMA key and this key should be saved on app, maybe in binary.
No.
Maybe i missed something ?
The key comes from the user, in the form of a passphrase that the user types in. In SQLCipher for Android, this passphrase is passed to methods like getReadableDatabase() on the revised version of SQLiteOpenHelper.
Yes, securing the key is the tricky part. Ideally it's (partly) supplied by a password the user enters when signing on to the app, but that isn't always ideal, so sometimes you have to resort to the much-maligned "security by obscurity" approach and assemble the key from bits and pieces stashed here and there.
The SQLCipher team universally recommends against embedding a fixed key in an application binary. No matter how creative an application is about obscuring an embedded key, a sufficiently determined attacker will be able to extract it from the application package and open a database.
Unfortunately some applications still choose to use SQLCipher with embedded keys as a rudimentary form of DRM, i.e. by making it difficult for casual users to view data. However, this does not provide any substantial amount of security.
If you need to protect sensitive data the best approach is to use a key derived from a strong passphrase entered by the user. SQLCipher provides strong key derivation automatically, so all you need to do is provide the user passphrase through PRAGMA key or one of the equivalent keying mechanisms provided in SQLCipher wrapper libraries.
I generate key form secureRandom and then save key on KeyStore (BKS).
For KeyStore i generate password using: random, user info, device info and password.
Related
My question is that there is a section in the gradle file called signingConfigs.
Is it a problem if the password is entered here?
Should I be worried about this?
Thanks.
We should NOT do this. These params are there for testing convenience.
We should NEVER store ANY crucial, personal, sensitive information as plaintext.
The testing key passwords and stuff just use dummy values. The actual release key we generate via AndroidStudio or Java keystore directly.
For PlayStore app releases, key files I usually let Google assign, manage and maintain via Developer Dashboard.
I am trying to develop an android app in java which needs encryption. Also I want to use AES-256 for encryption. But when I look a tutorial of it, It always generates a random key. My question is: How can I decrypt a string if I encrypt it with a random key? Also I tried almost every code in web, but none of them worked, so can you provide a AES-256 encryption code with no salt and IV. If I know something wrong, please correct me and teach me the truth.
Details: I am trying to make a password manager app. App has two passwords, first one is the master password that we use for encryption string data. Second one is the passwords that we want to manage. Master password is stored in users mind. And other password will be stored in the app with encrypted version. When user wants to see his passwords he will input his master key to decrypt the encrypted passwords. So how can I do it? And user's master password will be 32 or 64 digit and I don't think we need to generate a random key. Can you show me some way? I am not native english speaker, sorry for my bad english. Thanks for help.
My question is: How can I decrypt a string if I encrypt it with a random key?
You can't. You need to save the key (somewhere). Then when you want to decrypt the file you restore the key that you used to encrypt the file and use it to decrypt.
Here is an Answer that explains how to save an AES key to a file and restore it: https://stackoverflow.com/a/7176483/139985. Notice that the example encodes the key in hexadecimal before writing it to disk.
However. Anything that entails storing an encryption key (in the clear) in a file in the file system is vulnerable. If someone or something can compromise the security of the OS / file system where the key is held, they can read the file containing the key ... and ... decrypt what ever the key has been used to protect.
A better idea is to use some kind of secure key store / vault.
My advice: if you are write an app that manages passwords for other people, you really, really need to have a deep understanding of how to do this securely. And if you don't, pay a qualified IT security professional to design and implement that aspect of your system for you.
Just reading some tutorial and asking on StackOverflow does not cut it!
I want to use Aes to encrypt some data and decrypt them later. I created a jks keystore, the problem is where to read the keystore and keys password. Putting the master password in the code seems not really secure. Same thing if I put in the properties file or environment variable. I could use jasypt library to keep encrypted the master password in the properties but again I need another password and the problem again where to store it. What is the best way or guidelines in these cases? I can't use a command line input neither a command line parameter.
Another question: if I keep my keys into the Google memcache, is it secure?
Check Vault project.
I don't recommend you to use Google Memcache for such things. It's pretty similar to situation, when you store your master key in database or file. However, you decide, what level of security for data you need. Sometimes, properties file is enough.
It seems that I have misplaced a password for a Keystore for an Android project. I still have the keystore, but not the password. However, the password is saved in Eclipse in the Signing and Keys tab. I also have the secure_storage file within the org.eclipse.equinox.security directory, and it seems that my stored password is there, encoded. It makes sense to me that were I to use the stored password-version of the Keystore, that password would need to be decoded at some point, to be passed to the Keystore. Therefore, I'm wondering what I'd need to do to decode that myself, and retrieve the password.
Any help would be appreciated!
Tim
After much research, I have found how to recover the password from the Secure Storage. As I surmised, Eclipse must have a way to extract the saved password, otherwise it could never be used to unlock the keystore. I found this post: Eclipse password recovery which led me into the method to view the saved passwords. The only bit that took some work was actually executing the code. I didn't go the eclipse-shell path, but instead created a eclipse plugin project using that code. Note that that code will not work in a standard Java project.
Of course, the actual Secure Storage is encrypted with the OS authentication, so this would only work for decrypting the password from the machine where it was originally encrypted. The problem was never about decrypting without the proper ciphers, but about using the built-in decrypting methods to get a clean-text password.
No, you can not. It uses the operatingsystems cryptation or/and the jvms. Standard is usually some AES-256 bits and is very hard to break.
I don't think you will get any help here.
The other day, Google notified me that my Gmail account may have been compromised as it had been accessed by two IP addresses from out-of-the-ordinary locations. Since I generally (and stupidly) use the same password for every website, I decided to change things up and use different passwords.
Being an Android developer, I have decided to start developing a password keeper application for which I can store my usernames and passwords, as it is difficult to remember different passwords. I do not want to take the easy route and download an existing third party password keeper application.
This got me thinking, what is the best way to secure usernames and passwords in my application? Currently, I require a password to view a list of accounts that can be added. I am also storing usernames and passwords into a database. It seems that Android cannot natively encrypt a database, however. I could encrypt the values that I store in the database, but if someone got their hands on my phone, they could find out the encryption if they really wanted to. Or, I could use a server for encryption/decryption, but then you have a server that has to be maintained and can be compromised.
I would love to get some opinions on the topic. While I know that perfection cannot be achieved, what would be a good method to implement for my Android application?
You are certainly going to require the user to provide a PIN or password every time they want to add/view the password list, right? Why not use that as the encryption key, meaning that if someone gets your phone they still cant acces or decrypt the passwords without knowing the user defined key.
take a look at the application 1password they are probably the best password keeper app on the market. Their philosophy is they store all your passwords behind a 128bit encrypthon where you use your 1password to get in. Other than that all website passwords are randomly generated alphanumeric strings. So there is really no collision chance and you are safe where ever you browse.
You shouldn't use a server that just means that people can assume their passwords are sitting somewhere and if you are a good app developer the passwords on the server will be just as secure as if you store them client side.
As for finding out the encryption if they "really wanted to" That is really up to the user picking the one password they key all their information with. Yes, it is possible to crack encryptions with brute force but if the user picks a non dictionary alpha numeric string, the probability of getting through is near impossible. Also if you encrypt everything properly, they cannot just "break" the encryption.
Last just because I can
Credits XKCD