2

I don't understand what the hacker can see and cannot see when he enters in a mobile app, for example android. He decompiles the .apk, then sees some .class files. If for example, I encrypt a key/value pair in a file, I still need to call this key from the code, and if the hacker can see the code, no matter if the key is encrypted, he will know which key I am calling?

My goal is to keep some encrypted string in my app, for example the twitter account Id of my app. Some topics talk about " a private key to read, what was encrypted with a public key ", but if I use them, I still need to store them somewhere in my app...

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Paul
  • 6,108
  • 14
  • 72
  • 128

3 Answers3

1

you can get your keys from server while launching app. and also dont manage in app purchase detail in sharedPrefrence or Sqlite. because in rooted device user can see that data file from root browser or sqlite editor application so user be able to change value.

Sanket Kachhela
  • 10,861
  • 8
  • 50
  • 75
  • for the in-apps, do you mean we have to add each user in a database with their in-apps objects? I was looking for creating an app to be used offline... – Paul Jan 29 '14 at 07:36
  • 1
    just check that user have purchase any item or not in every time you launch app so if hacker change your data from sharedpref. or sqlite than user have original data not changed one. to check purchsed item see point 3 of this http://developer.android.com/google/play/billing/api.html – Sanket Kachhela Jan 29 '14 at 07:41
  • @SanketKacghela thanks, and he cannot read the .class file and change it as he wants? like changing the result received from the server, or access the `public enum` that specify the different in-apps etc. ? – Paul Jan 29 '14 at 17:10
1

Don't completely understand your requirement but the rule-of-thumb is always assume that client is not to be trusted. You have to ensure that

  • All decryption should be done in your server (which you trust).
  • The client should never be able to access the decrypted data (unless you want it to). Hence whatever part of your code that needs to directly access the decrypted data should be in the server.
  • The client should have only the encrypted data (if it must store data).
  • The client should not be able to access the private key you used to encrypt the data.

If in your case your client must be able to access the critical data directly, then your only resort is to use obfuscation techniques (Basically hiding your data/code, to make it hard to find/understand). Of course all obfuscation techniques can be defeated eventually by a determined hacker. You have to decide how valuable your data is, what are the probabilities a hacker will try and access your data. To take an extreme example : storing your twitter account and password using obfusucation is very bad. Storing a twitter-url- might not be so bad.

nedR
  • 605
  • 1
  • 7
  • 14
  • you're right, for what is like twitter and need access to internet, I could let that to the server. One thing though, I don't understand: `hiding your data/code` : can he read the .class file and see that we call a specific and same key before persisting some specific data? For example, I need to retrieve the level key, how should I do? Encrypt the name "level" for example, and call the key with the encrypted "level" name... won't he be able to see that I encrypted "level" and looked for the encrypted key for level? – Paul Jan 29 '14 at 07:32
  • 1
    In principle, yes. If the value of "level" is stored or created in the client. The trick is to make it less obvious that the value is not level. You can use Proguard for code obfuscation. For strings you might have to try the methods others have suggested. In addition, you could look at https://developers.google.com/games/services/android/antipiracy or https://developer.android.com/google/play/licensing/overview.html to try to ensure that the client is unmodified. – nedR Jan 29 '14 at 17:53
1

A very determined person can crack it, but it's a major pain to crack encrypted strings and will stop most hackers. Especially if you obfuscate your code with something like ProGuard.

Answer to a similar question for details on how to encrypt

Community
  • 1
  • 1
hypd09
  • 1,183
  • 1
  • 15
  • 23
  • 1
    Thanks, yes actually I might prefer to obfuscate better than 100% secure, as I would like the app to be used offline, with in-apps though... one thing I don't understand, you write the secret key in the code, won't the code be accessible to the hacker, and let him read the string with the secret key, the private key to decrypt, and the method you used to encrypt? – Paul Jan 29 '14 at 07:40