When i develop any android application which is having the AES implementation and key should be common which is being used in server side as well as mobile side(client). So please suggest/ Guide me where should i store my key in device so that it will totally safe. Should i store that key in SQLite database ? or Should i make that key as string in code ?
Asked
Active
Viewed 344 times
1
-
Possible duplicate of [Android: What is a keystore file, and what is it used for?](https://stackoverflow.com/questions/6849558/android-what-is-a-keystore-file-and-what-is-it-used-for) – jww Jun 04 '17 at 08:53
1 Answers
0
Totally safe? Nowhere.
What threat vector are you trying to protect yourself against? If you're worried about just external attackers, downloading a key from the server and using it only in RAM or storing it in the keychain is sufficient.
If you're worried about the user/device owner- well, nothing stops him from just putting on a custom ROM that logs all calls to the keychain functions. Or that logs all data sent from the device. To even start to make that safe you'd need to use your own copy of libssl, your own http libraries (that do the encryption yourself), and never write it anywhere (request it from the server each time). And even then its not safe against anyone willing to do reverse engineering and figure out where in memory the key is saved.
If you really want to keep data safe- don't send it to the client.
Gabe Sechan
- 90,003
- 9
- 87
- 127
-
my problem is this i used AES in android studio/app development. where should i store the KEY ?? In android coding as a string like. String Key="XYZ"; or i should save in sqlite? But both ways are not secure any one can decompile apk and can see the String Key="XYZ" or any one can root the device and fetch the database and get the Key easily .. So please tell where i can store my KEY in android application (coding side) for security so no one can get. whenever app need app can get at coding point of view.. – – Gyan Swaroop Awasthi Jun 15 '17 at 11:19