I have my consumer and secret key. I know I have to encode the secret key when it is included in my app. What is the best way to go around doing this?
The first solution could be to use obfuscation (search for ProGuard for Android, there are a lot of resources about it) and the next one could be to add extra security decoding all of your strings using one way encryption (algorithms like AES does are useful).
Of course the best option is to avoid adding this kind of keys and moving to the server side, adding the code to be used in the Android client. This solution not always can be applied, of course, but did you asked yourself if it's really needed the key in your client device? If you move your Twitter key to a server that does all the job related with the Twitter service (publish, get the timeline, etc), you won't need to add it to the app, you only will need to communicate securely your clients with your server. I know, that this solution only could apply if you have a really powerful service (lot of effort to do it) and you are able to sign to your server with secure methods (SSL, etc).
Related
I use yandex and google translate in my application and of course have unique API key, but everyone can steal it by decompiling my application. How can I hide it?
If i were you i will rent a server (maybe amazon) and create a database and insert our api key with simple encrypted string (hash etc.).
ID - Name - androidKey - key
1 - GoogleAPI - AJKBSASHUA9 - yourAPIKey
2 - YandexAPI - 5A6S5D6A53C - yourAPIKey
.
.
.
Then you can create a service which is run by your android packageName;
http://example.com/API/getAPIKey/
?packageName="yourPackageName"
&androidKey="AJKBSASHUA9"
And if you use POST method it is safe for you.
Simply, you can't do that inside your APK at all or inside the application. If someone want to get it, they will get it.
You are going to decipher them, I'll find the key inside the app.
You are going to put them in the web and fetch them after installation, I'll root my phone and get them.
And why would you hide them on the first place, they are assigned with the SHA1 fingerprint of your [Release|Debug] keystore and your package name and no one can have your release keystore and its password.
While you may not be able to achieve 150% security, you may want to take steps in your app to slow possible attackers down. This will result in some of them turning away from exploiting your application, simply because it is not worth the effort.
The OWASP Mobile Security Project has published their collection of "Top Ten Mobile Risks", of which especially the topics "Broken Cryptography" and "Lack Of Binary Protections" are interesting in your case. While even this link does not provide you with a simple "how to", I think it can help you to assess your situation.
I'm trying to secure a java app that I'm working on. This app has service wrapper that contains a list of parameters, among these a database password. So there are 3 solutions but I'm not sure that any one of them is possible.
1) encrypt the whole file without yet keep it usable.
2) store an encrypted password and add a encryption function to the file
3) create an external program that restores the encrypted password and call it's result in the wrapper.config file
After desperately searching the internet for a response I didn't find any helpful so I'm hoping to find someone who had a similar issue in here.
Another alternative would be to use a key store, as shown in this blog post, however you would still need to find a safe place to store the key to the key store itself. To go around this, you could make your application ask the user the password to the key store, this way the data will be secure but you do not store any (keystore) passwords. That being said, if you are willing to ask your user for a password each time the application switches on, one might as well simply ask the user for the DB password right away.
If you are encrypting the file, you would still need to ship the key with which the application will need to do the decryption. This would mean that potentially users would still be able to look into your application and decrypt the file as they please.
I think that if you really want a safe solution, the answer would be to simply not store the password yourself, but rather ask the users for the password each time.
When you compile a .java file into a .class file, if you had a line like
String s = "This is a String"
If you open up the .class file in a text editor, you will see
This is a String
Somewhere in the file amidst the gobblety gook.
Which is fine and dandy for most stuff, but not when dealing with sensitive information like API keys.
Of course, one alternative is to read the API key in from another file, but that just makes it EASIER to find the key, as now the person can just open "key.txt" when they open the .jar file.
So how do you encrypt a string literal in your .class file?
When you send code to a 3rd party, you loose all control over it. Even if you where to embed the API key as an encrypted string, an attacker could still try, and potentially succeed in breaking it, which would make all your encryption/decryption efforts in vain.
The best solution, in my opinion, would be to not provide any sensitive information within the application, but rather provide it with an ID of some sort. Any sensitive values which it needs would be then pulled through the use of a secure connection.
If you use a key to access a 3rd party API there is no way to protect that key from the end-user IF you ship it with your code / application or you want your application to be able to access the 3rd party API without a middleman.
The end-user could just read all data send from your app to the end-point and know the API key. Regardless of any measures you took to encrypt it you will need to send it atleast once decrypted to the 3rd party.
The safe way to do this is to require your user to log in to a service provided by you, send a request to YOUR service and then YOUR service (which is presumably not located on the machine of your end-user) sends a request to the API with the key. So the end-user never knows of the key.
If you store the information in the class file, the decryption key should come from outside of the class. You can crypt the data, but if you have all the information within the class file, you are lost.
You should store API keys in config files. You have a different API keys for development and for the live, right?
Other possible solution is to use KeyStore, which allows you to store sensitive information in publicly accessible format. Only the holder of the secret key can decrypt the sensitive data.
Even if you keep that information encrypted in your class, a hacker can find the mechanism to decrypt that from your code only. So IMHO it's better to keep that encrypted information in some other file, and read that file. Also, restrict the access to that file using OS security mechanisms.
I'm writing a small Android app and I need to hide some variable values. I have a API key I got from the content provider who is providing me content to show in my app that I need to retrieve data from them. Because it is being used in an encryption algorithm, it is of vital importance the code isn't leaked.
I need to save the API key in my code and be sure it isn't retrievable by the bad people in the world. What I do now, is save them in my code as a variable:
private static final String API_KEY="mysupersecreatapikey";
After the app is compiled to an APK file, this is, in my opinion not retrievable anymore. Am I doing it in the right way now, or is there a better solution?
Thx in advance,
Daryl
You could store the API key in a file located in storage. You can encrypt the API key when you write it to the file and then you can decrypt it when you are reading it (upon program execution)
If you put the API key into the client in any form that can be used by the client it will be possible to get to it somehow. Maybe by unwrapping the APK and decompiling the code, maybe by traffic sniffing. That private static final variable for example can likely be extracted by a decompiler (if it's bytecode).
If you want to make really sure that none of your users can get to the API key then your app shouldn't be using it directly. Instead have it connect to a web service you set up that serves session IDs for example. That web service that runs on a server that you have control over (quite a few options) would then be the only piece of software that knows the API key.
But depending on the use case this might be a complete overkill solution to this problem.
The other day, Google notified me that my Gmail account may have been compromised as it had been accessed by two IP addresses from out-of-the-ordinary locations. Since I generally (and stupidly) use the same password for every website, I decided to change things up and use different passwords.
Being an Android developer, I have decided to start developing a password keeper application for which I can store my usernames and passwords, as it is difficult to remember different passwords. I do not want to take the easy route and download an existing third party password keeper application.
This got me thinking, what is the best way to secure usernames and passwords in my application? Currently, I require a password to view a list of accounts that can be added. I am also storing usernames and passwords into a database. It seems that Android cannot natively encrypt a database, however. I could encrypt the values that I store in the database, but if someone got their hands on my phone, they could find out the encryption if they really wanted to. Or, I could use a server for encryption/decryption, but then you have a server that has to be maintained and can be compromised.
I would love to get some opinions on the topic. While I know that perfection cannot be achieved, what would be a good method to implement for my Android application?
You are certainly going to require the user to provide a PIN or password every time they want to add/view the password list, right? Why not use that as the encryption key, meaning that if someone gets your phone they still cant acces or decrypt the passwords without knowing the user defined key.
take a look at the application 1password they are probably the best password keeper app on the market. Their philosophy is they store all your passwords behind a 128bit encrypthon where you use your 1password to get in. Other than that all website passwords are randomly generated alphanumeric strings. So there is really no collision chance and you are safe where ever you browse.
You shouldn't use a server that just means that people can assume their passwords are sitting somewhere and if you are a good app developer the passwords on the server will be just as secure as if you store them client side.
As for finding out the encryption if they "really wanted to" That is really up to the user picking the one password they key all their information with. Yes, it is possible to crack encryptions with brute force but if the user picks a non dictionary alpha numeric string, the probability of getting through is near impossible. Also if you encrypt everything properly, they cannot just "break" the encryption.
Last just because I can
Credits XKCD