1

I am using Volley to send data to my server and I am putting all the necessary data in the header and in the body of the stringRequest.

After I send the request, I can capture the packages using WireShark and I am able to see all the data that has been sent, from the token in the header to all of the fields in the body (userId, etc).

How is encryption used in network connections using Volley?

Is it any way to encrypt the data in the header and the body of the request?

enter image description here

codeKiller
  • 5,493
  • 17
  • 60
  • 115
  • are you using http or https? – Sunny Nov 09 '17 at 09:46
  • http, it can be seen in the WireShark capture – codeKiller Nov 09 '17 at 09:48
  • use https and to further secure your connection use certificate pinning. – Sunny Nov 09 '17 at 09:49
  • I am not sure if I am able to use https on the server (almost sure I am not able), that is why I am trying to focus the question on http, I have no control over the server by the way. – codeKiller Nov 09 '17 at 09:50
  • then you can simply use any encryption algorithm on app side and send it to server, the server will then decrypt it using the private key. which you will use to encrypt the data. – Sunny Nov 09 '17 at 09:53
  • good, then any recommendation or pointing to Android libraries for encryption?? – codeKiller Nov 09 '17 at 09:57
  • There are plenty of post about it. just search on google. First choose any encryption algorithm, then learn how to use it on Android and on your server to encrypt and decrypt the data. – Sunny Nov 09 '17 at 10:05
  • @Sunny, ok thanks! – codeKiller Nov 09 '17 at 10:09

1 Answers1

1

you can use AES algorithm 

import javax.crypto.Cipher;
     import javax.crypto.SecretKey;
     import javax.crypto.spec.SecretKeySpec;

    public class AESEncryptionDecryption {

    private static final byte[] keyValue =
            new byte[]{'c', 'o', 'd', 'i', 'n', 'g', 'a', 'f', 'f', 'a', 'i', 'r', 's', 'c', 'o', 'm'};


    public static String encrypt(String cleartext)
            throws Exception {
        byte[] rawKey = getRawKey();
        byte[] result = encrypt(rawKey, cleartext.getBytes());
        return toHex(result);
    }

    public static String decrypt(String encrypted)
            throws Exception {

        byte[] enc = toByte(encrypted);
        byte[] result = decrypt(enc);
        return new String(result);
    }

    private static byte[] getRawKey() throws Exception {
        SecretKey key = new SecretKeySpec(keyValue, "AES");
        byte[] raw = key.getEncoded();
        return raw;
    }

    private static byte[] encrypt(byte[] raw, byte[] clear) throws Exception {
        SecretKey skeySpec = new SecretKeySpec(raw, "AES");
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
        byte[] encrypted = cipher.doFinal(clear);
        return encrypted;
    }

    private static byte[] decrypt(byte[] encrypted)
            throws Exception {
        SecretKey skeySpec = new SecretKeySpec(keyValue, "AES");
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.DECRYPT_MODE, skeySpec);
        byte[] decrypted = cipher.doFinal(encrypted);
        return decrypted;
    }

    public static byte[] toByte(String hexString) {
        int len = hexString.length() / 2;
        byte[] result = new byte[len];
        for (int i = 0; i < len; i++)
            result[i] = Integer.valueOf(hexString.substring(2 * i, 2 * i + 2),
                    16).byteValue();
        return result;
    }

    public static String toHex(byte[] buf) {
        if (buf == null)
            return "";
        StringBuffer result = new StringBuffer(2 * buf.length);
        for (int i = 0; i < buf.length; i++) {
            appendHex(result, buf[i]);
        }
        return result.toString();
    }

private final static String HEX = "0123456789ABCDEF";

private static void appendHex(StringBuffer sb, byte b) {
    sb.append(HEX.charAt((b >> 4) & 0x0f)).append(HEX.charAt(b & 0x0f));
}

for encryption use this method

String encrypted = "";
try {
    encrypted = AESEncryptionDecryption.encrypt(plain_text);
    Log.d(Constants.firebase_app, "encrypted:" + encrypted);
} catch (Exception e) {
    e.printStackTrace();
}

for decryption use this method

String decrypted = "";
try {
    decrypted = AESEncryptionDecryption.decrypt(encrypted);
    Log.d(Constants.firebase_app, "decrypted:" + decrypted);
} catch (Exception e) {
    e.printStackTrace();
}
Dilip
  • 2,622
  • 1
  • 20
  • 27
  • thanks for your answer. It seems like Android is implementing by default `TLSv1.2` for versions above 19, do you know if that is correct?, in my case I am developing for v24. – codeKiller Nov 10 '17 at 07:47
  • I think for encryption and decryption version is not matter. – Dilip Nov 10 '17 at 07:50
  • ok, according to the answer below, they guy tells that for Android versions 16-19 the TLS is not activated and you might need to do it manually, that was why I was asking about the Android version. https://stackoverflow.com/questions/31269425/how-do-i-tell-the-tls-version-in-android-volley – codeKiller Nov 10 '17 at 07:53
  • if your url is https then dont need anything else but as you said your url is just http then you need to do encryption and decryption. – Dilip Nov 10 '17 at 08:00
  • yes, that is the point of all this, and for that, TLSv1.2 should be enough. – codeKiller Nov 10 '17 at 08:18