WebApp Sec mailing list archives
Re: encryption in android apps
From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 9 Jan 2013 12:20:43 +0000
On 9 January 2013 10:00, saghar estehghari <s.estehghari () gmail com> wrote:
Hi, In my android application I need to save several sensitive files and I want to encrypt them. But I have doubts the way to store the key on the device! The application is protected with PIN code and the is also communication with the back-end server. But such communication should be as less as possible. This implies that I can't store the secret key on the server and get it whenever needed. So does anybody has a practical solution? Thanks
I'm not an Android expert, but traditionally you would require a password for the app - something with enough entropy, which a PIN is unlikely to have - and then use PBKDF2 or similar to derive a key from this password. The secrets on the device would then be stored encrypted with this key, so only people who know the password can access them. You could do the same with a PIN, but if someone recovered the encrypted files, it would be trivial to brute-force for PINs of say, six digits or less. Unless I'm missing something? cheers, Jamie -- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Scott Herbert (Jan 09)
- Message not available
- Re: encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Landon Hurley (Jan 10)
- Re: encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Jamie Riden (Jan 09)