0

I have a very simple iOS and Android applications that download a txt file from a web server and preset it to the user. I'm looking for a way that only the application will be able to read the file so no one else can download and use it.

I would like to take the file that is on my computer, encrypt it somehow, upload the result to the server and when the client will download the file it will know how to read it.

What is the simplest way to to this kind of thing?

Thanks a lot!

Chiko
  • 606
  • 9
  • 21
  • Don't reinvent the wheel, use an existing established tool to do secure transfers. You shouldn't need to do any crypto explicitly yourself. Something like this should do it although disclaimer I'm not a mobile developer https://github.com/jbardin/scp.py – machine yearning Oct 12 '15 at 11:45
  • Do simple thing while uploading file to server encrypt it with some logic like bit shifting and when reading on mobile after file downloading complete just decrypt it with reverse logic which you applied on server.it's just an example there are so many ways to do encryption and decryption. – johny kumar Oct 12 '15 at 11:50
  • 1
    @johnykumar Absolutely not, that is a terrible recommendation. Bit-shifting is not encryption. There are many ways to do crypto, but the only right way is to use a standard library. – machine yearning Oct 12 '15 at 11:54
  • m trying to tell him the way how to use not what to use.its just an example bit shifting will also change the format so that another person will not able to read it. – johny kumar Oct 12 '15 at 12:01
  • 1
    You can encrypt all you want, but it seems you're asking about authenticating and authorizing the client application which is not possible (DRM is a step in that direction). If that is not what you're asking, then please clarify your question and include a possible attack scenario that you want to protect against. – Artjom B. Oct 12 '15 at 12:06

3 Answers3

2

Well, to encrypt/decrypt a file (or anything, really) you need an algorithm to encrypt/decrypt and keys. If you use a symmetric encryption algorithm (such as AES) you use the same algorithm and key to bot encrypt and decrypt.

In short, you are looking for a symmetric encryption algorithm, such as AES, which you can find (among other tools) here- https://pypi.python.org/pypi/pycrypto

Now assuming you have a user signup system (or alternatively ask for a password), you can use the users password+salt as a seed to a secure random number generator (e.g. Blum-Blum-Shub) that will generate a key for each user (and a constant key for each such user), to encrypt/decrypt the file on the clients side. Note that this will result in the same key used to encrypt every file by the same user. For more entropy, you can (for example) combine the file name into the key, so that each file will have a different key.

mikibest2
  • 508
  • 1
  • 4
  • 9
  • Thanks for the answer. If I'll use this tool to encrypt the file, how will I be able to decrypt it using swift/Java? – Chiko Oct 12 '15 at 13:24
  • well if you need java tools, java has tools of its own (i linked this one because you tagged python). java has the Cipher class for encryptions- https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html – mikibest2 Oct 12 '15 at 13:48
  • Don't use Blum-Blum-Shub, use a curent method such as PBKDF2 (Password Based Key Derivagtion Function). – zaph Oct 14 '15 at 11:06
  • exactly what i needed. thanks a lot! – Chiko Oct 14 '15 at 11:20
-2

It's very wide question and the variety of ways to do that. First of all, you need to choose a method of the encryption and purpose why you encrypt the data.

There are 3 main encryption methods:

1. Symmetric Encryption

Encrypter and Decrypter have access to the same key. It's quite easy, but it has one big drawback - key needs to be shared, so if you put it to the client it can be stolen and abused.

As a solution, you would need to use some another method to send the key and encrypt it on the client.

2. Asymmetric Encryption

With asymmetric encryption, the situation is different. To encrypt data you need to use public/private key pair.

The public key is usually used to encrypt data, but decryption is possible only with a private key. So you can hand out public key to your clients, and they would be able to send some encrypted traffic back to you.

But still you need to be sure that you are talking to the right public key to not abuse your encryption.

Usually, it's used in TLS (SSL), SSH, signing updates, etc.

3. Hashing (it's not really encryption)

It's the simplest. With hashing, you produce some spring that can't be reverted, but with a rule that same data will produce the same hash.

So you could just pick the most suitable method and try to find appropriate package in the language you use.

Artemis
  • 4,821
  • 3
  • 21
  • 24
  • 2
    So much wrong with this. Hashing is not encryption. TLS/SSL only uses asymmetric for the handshake (authentication and symmetric session key exchange) and then uses symmetric with the session key for the bulk of the data exchange. But most importantly you shouldn't need to do any crypto yourself, since there are already libraries to do secure data transfer transparently. – machine yearning Oct 12 '15 at 11:59
  • 1
    Thanks for the comment! I agree reinventing the wheel is not the best way to do things. Regarding TLS/SSH - it's just a samples where asymmetric encryption is used. If you know more in details - please post a constructive answer would be glad to see it. – Artemis Oct 12 '15 at 12:15
  • Happy to see you knowledgeable and enthusiastic, sorry if I came off too harsh. My point was that he doesn't need to consider all these details or be/consult a crypto expert. Just pick a library that does what he wants (which really hasn't been clearly defined) and use it. It's all been done before. – machine yearning Oct 12 '15 at 12:27
  • Hashing is not encryption, please change the answer to be correct WRT hashing. – zaph Oct 14 '15 at 11:09
-3

you can either write your your own encryption algorithms or use existing ones like those in the C libraries (https://en.wikipedia.org/wiki/Comparison_of_Cryptography_Libraries) or in case of Android in java i.e. bouncy castle or spongy castle

See also this thread: BouncyCastle on Android

Community
  • 1
  • 1
ralf htp
  • 9,149
  • 4
  • 22
  • 34
  • 1
    Gotta recommend against doing either of these. There are already libraries which will do secure file transfer transparently. Don't do crypto yourself, you will mess it up. – machine yearning Oct 12 '15 at 11:47