Home page logo

webappsec logo WebApp Sec mailing list archives

Re: encryption in android apps
From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 9 Jan 2013 12:20:43 +0000

On 9 January 2013 10:00, saghar estehghari <s.estehghari () gmail com> wrote:

In my android application I need to save several sensitive files and I
want to encrypt them.
But I have doubts the way to store the key on the device!
The application is protected with PIN code and the is also
communication with the back-end server. But such communication should
be as
less as possible. This implies that I can't store the secret key on
the server and get it whenever needed.
So does anybody has a practical solution?


I'm not an Android expert, but traditionally you would require a
password for the app - something with enough entropy, which a PIN is
unlikely to have - and then use PBKDF2 or similar to derive a key from
this password. The secrets on the device would then be stored
encrypted with this key, so only people who know the password can
access them.

You could do the same with a PIN, but if someone recovered the
encrypted files, it would be trivial to brute-force for PINs of say,
six digits or less.

Unless I'm missing something?

Jamie Riden / jamie () honeynet org / jamie.riden () gmail com

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]