1

I want to implement encryption on my Android app and found a library that I think fits my requirements. I plan to store the salt on SharedPreferences and the key would be inside gradle.properties as an environment variable. Then the encrypted key would be generated at run-time via the library.

My question relates more on if my planned solution is secure enough that my app can't easily be compromised. Is it possible for the user to view the encrypted key at run-time with just the APK? And is my way of storing the salt and key acceptable or is it still not secure?

kobowo
  • 2,529
  • 2
  • 24
  • 37
  • Aren't there ready-to-use crypto libraries for Android, that do all that stuff for you? If you have to ask these questions, you're clearly out of your depth to implement these things. The general rule of cryptography is: *"In production: Don't roll your own crypto!"* – datenwolf Jun 24 '19 at 05:39
  • I'm using a library that's cross-platform because we also support iOS. The libraries handle the salting and encryption...my only worry is if users can view the encrypted key (generated at run-time) and do something with it maybe?...basically I'm just being paranoid that's all – kobowo Jun 24 '19 at 05:42
  • Possible duplicate of [android studio open debug mode when app is running](https://stackoverflow.com/questions/17677506/android-studio-open-debug-mode-when-app-is-running) – Feras Al Sous Jun 24 '19 at 05:57
  • 2
    If a user has physical possession of the device, they can take it apart in any way they want. *Regular “users”* probably can’t see much into your app, dedicated people can theoretically read contents from raw memory if necessary… – deceze Jun 24 '19 at 05:58
  • Okay thanks! thats basically what I wanted to know. – kobowo Jun 24 '19 at 06:00

0 Answers0