1
I am developing an application for Android/iOS mobile devices, in this application the communication with the server is done in encrypted form. The user application, when first started, generates a public/private key. The public key is sent to the server where it will be stored and the private key is stored on the client’s device. In this aspect, I believe it works in a similar way to the messaging application Whatsapp. However, I don’t know how to protect this private password stored on the device. It cannot be captured by third parties, so as not to compromise user safety. How to deal with this?
If the keys are not stored in a specific hardware (HSM, TPM...) they can be extracted at some point. Whatsapp is an example, it already has systems to extract the keys, even without root. Android, in particular, has the "Keystorage", which serves for this (https://developer.android.com/training/articles/keystore.html?hl=pt-br), iOS must have something similar.
– Inkeliz
Very interesting, I’ve always been curious to know how these applications were protecting the keys. But I believe there is a way to make this process difficult, to avoid at least being accessible to anyone, and so I will have to deal only with these tools and a smaller number of users with enough Skill to extract the keys.
– DanOver