1

I am making an server API which will return some confidential keys to my app.

Then the app will use these key to perform a particular action. I would be sending the Keys over SSL so that any Man In the Middle attack could not read them.

To start first I will be first everything the Package name and then I also want to verify the something which assures me that my app has not been decompiled and recompiled and the package is not fake.

Basically I want to avoid these issues:

1) Someone is not creating a fake package name and then sending the request 2) Someone has not recompiled my app and then sending the request 3) Someone if not tracking the response of the server via MIM

Till now I have thought the best way would be to use a HASH key and then compare it within my server to see if the POST key is the same as stored in my server.

But I have not been able to find a key which is attached to the signing key of the app and which cannot be accessed by anyone having the APK of my app.

Any help would be grateful.

Rajesh K
  • 683
  • 2
  • 9
  • 35

1 Answers1

0

You can add extra layer of protection if you create keys in your app using C++ code available on android's NDK libraries. Here's an amazing tutorial for that. Basically, this protects your app from de-compiling tools which commonly de-compiles java files. Also, I recommend adding AES encryption on your keys before sending it through the post request of your SSL server.

On your onCreate() method, get the key from native C++ implementation:

String nativeKey = invokeNativeFunction()

then encrypt it:

byte[] keyStart = nativeKey.getBytes();
KeyGenerator kgen = KeyGenerator.getInstance("AES");
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
sr.setSeed(keyStart);
kgen.init(128, sr); // 192 and 256 bits may not be available
SecretKey skey = kgen.generateKey();
byte[] key = skey.getEncoded();    

// encrypt
byte[] encryptedData = encrypt(key,b);

Encrypt method:

private static byte[] encrypt(byte[] raw, byte[] clear) throws Exception {
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
    byte[] encrypted = cipher.doFinal(clear);
    return encrypted;
}

Edit for CSRF:

There's an interesting answer from here: Authenticity_token in Rails + Android, also on Wikipedia, there are quite suggestions as to how to counter cross site request forgery. which includes:

Synchronizer token pattern
Cookie-to-header token

to name a few.

Here's a layer of extra security to identify the authenticity of the app request as well.

MetaSnarf
  • 5,857
  • 3
  • 25
  • 41
  • Thanks for the answer. Do not know why someone has down voted the answer. But actually I am also requiring to verify the identity of the app sending the POST to verify that it is only my original app sending the request. Is there any key, may be my certificate key which can ONLY be retrieved by my app in run time and which is attached to the POST request and then my server verifies the key. But the key should not be accessible to any one such as a rooted user or a user which has my apk. PLEASE HELP. – Rajesh K Feb 11 '19 at 11:22
  • That part is a bit tricky to implement. If you have users in your app, it would be good to implement `access_token`s to insure that the app users can only access your app. Then include that access token on your post request as well – MetaSnarf Feb 11 '19 at 11:24
  • Thanks but I cant be assigning access token to my users as they are normal users who use the app. My API is going to be used to detect fraud users and then based on that return the type of key. Any other way? May be using the signing certificate? – Rajesh K Feb 11 '19 at 11:30
  • Thanks. I have accepted your answer as I think this is the best possible solution. – Rajesh K Feb 11 '19 at 11:55
  • Thank you @RajeshK. Good luck with the implementation. Comment back here on how you integrated it as I'm also interested on it. – MetaSnarf Feb 11 '19 at 12:12
  • Here's a layer of extra security to identify the authenticity of the app request as well: https://androidsecurity.info/tampering-detection-in-android/ – MetaSnarf Feb 13 '19 at 07:20
  • 1
    Thanks for the link. Looks to be useful. Can you please add that link to the answer as well as someone else also might be benefited from this. – Rajesh K Feb 13 '19 at 09:37