WebApp Sec mailing list archives
Re: encryption in android apps
From: saghar estehghari <s.estehghari () gmail com>
Date: Wed, 9 Jan 2013 14:14:35 +0100
Hey, The application is a sort of secure payment with NFC. However the tag is passive (not connected to any network) and it's the mobile app's responsibility to communicate with the server. The whole system works with certificates and signatures for authentication. This implies that the server generates a certificate for each user, user authenticates itself with the certificate to the tag. The tag then uses the info inside the certificate to do computation. All communications are encrypted. But as reading more about vulnerabilities about android apps, and I should save the certificates on the mobile device, I want to make sure that nobody can sees the contents of the certificates by encrypting them. As for Public/Private key, I though about the same solution. As the server will generate the pair of keys and this will be transferred to the mobile app. But as for storing the private key on the mobile app, do you think the a keystore on android would be safe place to store the key? For PIN code, do you think the entropy of 6 digits is low? I can't use passwords, as the client needs an easy to use application. If I use PBKDF2 and an attacker reverse engineers the application can it gets the key? Thanks Saghar This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Scott Herbert (Jan 09)
- Message not available
- Re: encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Landon Hurley (Jan 10)
- Re: encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Jamie Riden (Jan 09)