0

I had stumbled upon this simple question of what is the best way for me to open a database or use a service which is secured, in the sense, will work only when correct password is provided.

  1. I have looked at SharedPreferences as a way of retrieving information,but i need to create an app which will store the password in the first case, which by itself means i need to write it on code somewhere or the other

  2. Account Manager is yet another way i've considered.

  3. Store the actual password in an AES encrypted format, in a file, or in an sqlite db. But that means the key will have to be in the code.

I would've thought that this is a fairly common problem that people face and i'm wondering how people solved it!

gaara87
  • 2,087
  • 3
  • 21
  • 43

1 Answers1

-2

In my opinion you can encrypt your data using AES encryption. But the main problem is the key is not safe. APK can be decompiled. So there is a method to hide the key. Implantation is bit difficult. Use native coding (NDK). You can write your key in a C file and after compilation you get a .SO file. This file can be included in your project. Make a call from java to a C function and return the key. But another problem is the strings written in C is visible when you open the .SO file. So assign generate ascii code of your key and make a string using the ascii code in C.

Zacharias Manuel
  • 8,983
  • 1
  • 17
  • 30
  • Storing the key in your code (including native and in ascii) does not provide security, it provides obscurity. This might be acceptable to you or not, depending on the price of losing access to your protected data, but understand that with this method, someone wanting the data _will_ get it. – mah May 18 '12 at 11:09
  • .SO file cannot be decompiled. Make a string using ascii in C itself – Zacharias Manuel May 18 '12 at 11:10
  • then why dont you just use ascii code at first place without bringing C-NDK stuff? – waqaslam May 18 '12 at 11:10
  • Because apk files can be decompiled. So ascii is visible – Zacharias Manuel May 18 '12 at 11:11
  • 1
    @Zacharias if you believe that a .so cannot be reverse engineered then you are very mistaken and should probably not be answering security questions. Just because _you_ cannot reverse engineer them does not mean it cannot be done or that it's even difficult. There are tools which you may be unaware of but that make it trivial. – mah May 18 '12 at 11:12
  • I have tried to decompile .SO using linux. But the result was negative. – Zacharias Manuel May 18 '12 at 11:15
  • 1
    @Zacharias, let me repeat something you must have missed: just because _you_ do not know how do to it does not mean that it cannot be done or that it's even difficult. Let me ask you this: would you feel comfortable giving me your bank website credentials in a .so, along with a program that's able to use that .so to extract them? I promise it would not work out in the way you would like. – mah May 18 '12 at 11:23
  • looks like the qsn is still pretty open – gaara87 May 19 '12 at 06:18