3

My application would be frequently connecting to the web service to get some data in json.

Is there a way this data can be encrypted on server side and decrypted on application side so that data transferred is secure and safe?

Also, if the applicaiton comes with its own database (sqlite db file), is it possible for anyone using this application to look at this database (tables, fields and content)?

Regards, Sapan

Sapan
  • 1,593
  • 3
  • 24
  • 34

3 Answers3

4

Your easiest option for transferring the data encrypted is to use SSL (i.e. https) for the communication between the app and the web service.

If you need to set up your own self-signed certificate for the server (instead of buying one) you might have problems getting android to talk with it, but it's doable. See this SO question for tips.

Regarding reading the database, it might be possible. I would assume that an attacker that got access to the phone could read the database, if they were determined enough. If you want the data to be really secure, you would have to store the database in an encrypted file and require the user to enter a password each time they open your app. You have to decide how much security you really need.

You should definitely go for SSL encryption of the data when you transfer it over the network, though.

Community
  • 1
  • 1
uvesten
  • 3,365
  • 2
  • 27
  • 40
  • thanks for providing the answer..according to you , the database provided with the application in assets folder can be read by attacker. I provide a initial database and then let user sync it with db on server. At my application launch, i copy the database file in assets folder to /data/data/package/databases folder. So, can the attacker also get access to this database? What I am trying to understand is if i give minimal database with my applicaiton, and then let the user sync it with server. So, even if gets access to the packed database with application, he will not get much information. – Sapan May 05 '11 at 04:23
  • It does not really matter where you put the database, it could probably still be read by a determined attacker _with access to the phone_ unless you encrypt and password protect the db. – uvesten May 05 '11 at 07:44
  • However, if your phone is stolen, would that be your biggest problem? If you by attacker mean _remote_ attacker (i.e. someone who hasn't stolen the phone or otherwise gets access to it) you should be safe. – uvesten May 05 '11 at 07:46
1

You can use crypto to encrypt/decrypt json in both android and server.In it very simple and secure. Using Base64 is not a efficient way, because anyone can decrypt. In this, you can use a secret key to encrypt and decrypt the String. If using wrong key to decrypt, the output will be wrong.

http://www.androidsnippets.com/encryptdecrypt-strings

aNi
  • 1,359
  • 11
  • 17
-4

I use Base64 encoding and decoding to encryt data over the network.

Depending on the type of webservice you are using, it will or will not have Base64 encoding and decoding. You can always google for code made by others.

Depending on the Android version you are targeting.

From API level 8 and up: http://developer.android.com/reference/android/util/Base64.html

For lower: http://www.frankdu.com/notes/2011/01/27/base64-encoding-with-android-2-1-or-earlier/

You could also write your own encoding and decoding systems of course. ;)

Enadeag
  • 168
  • 1
  • 2
  • 7
  • BUt I am targeting for version starting 2.1 and above.How do I implement both in my app? – Sapan May 04 '11 at 08:04
  • I'm also supporting 2.1 and up, and therefore used the second link for de encoding and decoding. – Enadeag May 04 '11 at 08:28
  • 4
    Base64 encoding is _not_ encryption! This answer is severely misleading. @Enadeag, if you think that base64 provides security, please think again. – uvesten May 04 '11 at 21:37
  • @Sapan, you really shouldn't accept this answer, it is wrong. – uvesten May 04 '11 at 22:11