How to safely use passwords within an Android app?

Asked

Viewed 163 times

0

I’m developing an Android application where I need to authenticate the app user and return some information, but this information will be in a remote database (Mysql)then for this I have developed an API that receives a GET or POST value with an encrypted string and returns the user values, in this case I am using AES encryption that needs a Key for encryption and decryption.

My concern is: how to use this key static String AESKey for AES encryption within the android application without risking the application being broken and the key viewed?

inserir a descrição da imagem aqui

  • 1

    An Android application is made in Java. So, break and easy. 2 options: 1) create a piece of code in ARM 2) save the key on the PHP side. So, you want to connect? OK, PHP will send an SMS to you, with the key and vc will type the key in Android, key that will be recognized during (for example. ) 10 minutes.

  • I don’t quite understand the purpose of the key, nor the encryption process. Is your concern about the security of communication? (use SSL) Or is it authenticating the user, i.e. each user will have a different key? (Store this key in the app’s private folder) Or something else? Symmetric encryption alone doesn’t do much, so I suggest you review your design. If you explain better what your main concern is I can give more details.

  • My need is to develop an application that connects to a remote DB, which is part of a tour guide site, in this application I need the user to login using the same data of the site. So I thought of developing the API so that the APP would request and API would return the user values by JSON, and for that I thought of generating a string in Base64 or AES, the problem of this is that as there is no token or something like that, any user can reach the API and make any request through GET or POST.

1 answer

1


The best way to answer the question is:

Do not store your password in the code as it will be easily read.

Of course a solution to your question also depends a lot on the service your application is connecting to... but starting from the point where you have access to the application and the server...

The path you want to follow besides needing encryption will clearly need to work with certificates, etc. Protecting your password is the least of the problems you will face in this journey, where the golden rule is ... never, but never store a password in the code when its security is a requirement.

Having said that, I want to point out that, from experience, the level of safety that you will certainly implement will be proportionally linked to the importance that the market/users place on its application. This is because for any of us who create applications the importance about our creation is always maximum.

Yet we often forget to look at the reality of it.

Realizing that I am looking for a technical answer to this problem and in order to be able to better help in this issue and within what it is implementing... I suggest several solutions... but all very questionable with regard to safety:

  1. Obfuscate code

  2. make the password as random as possible

  3. use strong algorithms

etc, etc. etc..

Looking at your code snippet and realizing that you need to manage a password that will be used in the communication between two points in order to be as confidential as possible... and assuming that the password can be dynamic, and not imposed by the server where it connects and if the SSL expense is not of your best interest then why not use the SSL algorithm Diffie-Helman. That is, through the mathematical model it is possible to agree two points in a key to each new connection.

This way you will never need to save passwords. Warning: this algorithm is permissible for man-in-the-Middle attacks... and so once again ... SSL is required.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.