Re: encryption in android apps

[Jamie Riden <jamie.riden () gmail com>]

On 9 January 2013 10:00, saghar estehghari <s.estehghari () gmail com> wrote:
> Hi,
>
> In my android application I need to save several sensitive files and I
> want to encrypt them.
> But I have doubts the way to store the key on the device!
> The application is protected with PIN code and the is also
> communication with the back-end server. But such communication should
> be as
> less as possible. This implies that I can't store the secret key on
> the server and get it whenever needed.
> So does anybody has a practical solution?
>
> Thanks

I'm not an Android expert, but traditionally you would require a
password for the app - something with enough entropy, which a PIN is
unlikely to have - and then use PBKDF2 or similar to derive a key from
this password. The secrets on the device would then be stored
encrypted with this key, so only people who know the password can
access them.

You could do the same with a PIN, but if someone recovered the
encrypted files, it would be trivial to brute-force for PINs of say,
six digits or less.

Unless I'm missing something?

cheers,
 Jamie
-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------