1

I'm trying to build my own custom alternative to LVL, and I have to do some server side validations.

When data is transmitted through the internet, it is possible to intercept it if not secured propperly. All though HTTPS offers more security than the standard protection, it might not be enough.

I'm reading a .txt file from the internet, and data from it is downloaded to the phone. Is it possible to use encryption on the android device in order to hide what web address it connects to and the data it retrieves? I'm already using HTTPS. Connection code:

URL url = new URL(protocol + website + dir + file);
BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream()));

EDIT

Besides protecting the connection, what is the best way to protect the data with encryption with a key?

2 Answers2

1

Yes. Totally. Easiest way to do it is serving your content (.txt file) with a HTTPS server. (HTTP-S, where S is for secure).

Pablo Santa Cruz
  • 176,835
  • 32
  • 241
  • 292
  • No other alternatives? Locally on the device? –  Aug 30 '16 at 18:56
  • Do you want to encrypt it locally? – Pablo Santa Cruz Aug 30 '16 at 19:01
  • if it improves security, yes. In order to mask in and outgoing data to make it hard(er) to see what site it connects to and the data being downloaded. Added code for the connection in my question –  Aug 30 '16 at 19:03
1

As Pablo said, using HTTPS is the correct way of transmit securely information from one side to another. HTTPS (HTTP + SSL/TLS) was designed preciselly for that. In fact, what HTTPS does is encrypt the data using a session key negotiated between ends and valid only for the current session (or even for part of it), so is pretty secure.

You could encrypt the document using some algorithm, but that will add some overhead that you do not need..

Sergio Pio Alvarez
  • 68
  • 5
  • I haven't really gotten very deep into the actual function of HTTPS; Is it possible without decrypting the session to see what address it is connected to? –  Aug 30 '16 at 19:17
  • You mean hiding the name or ip address, and port, that your app on the phone is connecting to? That information can never be hidden, because intermediate devices, like proxys, routers and other servers, have to know where to send your data. HTTPS works encrypting your data, which remains secure, but can't to anything with routing info. – Sergio Pio Alvarez Aug 30 '16 at 19:29
  • "You could encrypt the document using some algorithm, ..." I have been looking into this. The issue is finding an encryption algorithm(e.g. AES, Base64, Rot13) that can be handled with a key on Android on API 14+. I preffer not to use Base64 because it is not really an encryption: http://stackoverflow.com/a/4070709/6296561 –  Aug 31 '16 at 13:19
  • With HTTPS your data is truly encripted using pretty strong reversible shared-key algorithms; the algorithm is negotiated between your app and the server at the begining of the connection and the same with the shared key. If you encript the data yourself you will have to use a common key which has to be known by your app and the server. What if you have multiple instances of your app? will each instance have its own key (the server hast to known each one) or will all instances use the same hardcode key? Both are impractical, the latter is insecure. What happens if you have to change the key? – Sergio Pio Alvarez Aug 31 '16 at 14:06
  • Actually, I'm planning on using a key that can be found inside the application itself; It will be available everywhere, yet not encoded into the code. I have found some AES examples and I'm going to do some testing on it. –  Aug 31 '16 at 14:15