I was wondering what's the security of Android's resources folders (I'm especially concerned with strings). I know, I know, it would be ridiculous to store a password in Strings.xml. It's not like that, but how easy it is to snoop on these resources, to access sensible app info?
Unfortunately it is pretty easy to get to the resources. Tools like apktool enable to do that. I have raised a similar question here. You may want to take a look.
Easy on a rooted phone. Expect anyone can read your string resources shared preferences, etc. I just hooked up ADB, changed to /data/data/com.tumblr/shared_preferences and read my username and password in the clear.
You can also download and decompile the apk. If you need to keep it secret, encrypt it.
The primary rule of thumb here is that ANYTHING stored on the device is open for sniffing and cracking.
There is no such thing as local security against those in physical control of the device.
Even if you encrypt it, the keys for decryption have to exist on the device or be easily accessible by the device.
As a side note, this is the number one reason for features such as Remote Wipe.
So, if you plan on storing something sensitive or just plain don't want a slightly interested user to see the data you've stored on the phone, then you're out of luck.
I know that the xml files are scrambled in the apk, but there is a hacker tool for unscrambling them back to plain text. I can't remember the name of it but I found it OK via Google. It works unfortunately!
Related
What could be used instead of Shared Preferences for storing user information? People say Shared Preference is not Secure.
You can use SQLCipher library for encrypted database or encrypt/decrypt values yourself with some key and store result in SharedPreferences. To store keys use Android keystone system.
If you are storing information in the users' device, no approach is 100% secure. You can hide the information in some ways (eg. encoding, encryption, etc) but still won't be 100% secure.
In order to make your information secure, you will need to store the information in a remote server.
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see.
You can also use Database with encryption like whatsapp. Its a best way for security point of view. If you want you can hide the Database also.
I'm creating an android app which has an option for client to send email using JavaMail API.
I am using my email address to do this. I just want to make sure that where should I save my password. Is it safe to save it in the resources? If not, can you please suggest any method to do so?
Thanks in advance
Unfortunately, keeping passwords in resources is not good idea, because anyone can very easily read it (using i.e. apktool).
Keeping it in code isn't also safety, beacuse apk can be easily decompile and (even if code is obfustated) it can be found.
Sending it from the server site can be also dangerous,
because it could be sniffed (even if https would be used).
In sum it isn't good idea to use your email address.
Why every user can not use their own email? In this situation you can save user passwords (for future use) in shared preferences (like Shane said).
I need to save some URL that could change later in my app. I want that no-one can see them and find these URLs.
I tried SharedPrefences and database but they are easily accessible by any one who has a rooted phone.
Is there anyway to encode this data and save them in SharedPrefences so that I can decrypt it in the app?
encrypted-userprefs is a good library that allows you to encrypt the saved preferences. However, keep in mind that through reverse engineering, it might still be possible to retrieve the encryption keys from your APK and since you're using a URL, your app is likely to request it at some point where a network tool such as WireShark can observe it.
You can make it difficult, but you can't make it impossible.
Think about it: you want the information to be accessible to your app (you didn't say that, but I'm assuming it), but inaccessible to everyone else. That means your app has to have more information than anyone else, even a human who has root access to the phone.
Anyone who has that level of access to your phone has access to the app's bytecode. They can use this to see what your app does, down to the finest detail. In other words, what information does your app have that a human can't gain access to? None. Anything your app can do, a determined human with root access can also do.
Sensitive information should always be stored server-side. Even then, anyone with root access to your server can get at that information (for the same reasons as above); but the idea is that everyone and their mother can download the app, but people you trust (employees, etc) can get at the server.
I recently found that the databases of Android apps are totally exposed. That said, my configuration is exposed, I save there passwords.
So, now my doubt resumes on java code.
String value = "example";
This could be an example where I store a password to pass by reference to webservice.
People, with some kind of software (like this example Is there a way to get the source code from an APK file?) could be able to get all the code? (I tried to follow the steps without success)
I read about http://developer.android.com/tools/help/proguard.html, how do I know that it's already implemented in my project?
When you create an Android project, a proguard.cfg file is
automatically generated in the root directory of the project.
I checked my root directory and I don't have that file.
Thank you guys.
Obfuscation does not guarantee that your code won't be de-compiled. people who get your apk will still be able to review the code (although the flow of the app will be significantly more difficult to understand). Function names, variables and class names are changed but the code is still viewable.
password and other sensitive information should be kept in Android's keychain , where it's protected. never save passwords in a configuration file (preferences file).
You can look into encrypting your local database with sqlcipher. Proguard obfuscates code but will not hide your passwords if you have them hardcoded anywhere, it is not a tool to be used for security[reference]. Also all of your network traffic is vulnerable unless you use some sort of TLS.
As you describe your app now it is trivial to get the passwords in your app.
You can use char[ ] instead of string data type for storing sensitive values like password. This will make it difficult to recover if someone takes memory dump as value is not present string literal pool if used char[] data type.
The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.