Re: encryption in android apps

[saghar estehghari <s.estehghari () gmail com>]

Hey,

The application is a sort of secure payment with NFC. However the tag
is passive (not connected to any network) and it's the mobile app's
responsibility to communicate with the server.
The whole system works with certificates and signatures for
authentication. This implies that the server generates a certificate
for each user, user authenticates itself with the certificate to the
tag. The tag then uses the info inside the certificate to do
computation. All communications are encrypted. But as reading more
about vulnerabilities about android apps, and I should save the
certificates on the mobile device, I want to make sure that nobody can
sees the contents of the certificates by encrypting them.

As for Public/Private key, I though about the same solution. As the
server will generate the pair of keys and this will be transferred to
the mobile app.
But as for storing the private key on the mobile app, do you think the
a keystore on android would be safe place to store the key?

For PIN code, do you think the entropy of 6 digits is low? I can't use
passwords, as the client needs an easy to use application. If I use
PBKDF2 and an attacker reverse engineers the application can it gets
the key?

Thanks
Saghar



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------