WebApp Sec mailing list archives
Re: encryption in android apps
From: Landon Hurley <ljrhurley () gmail com>
Date: Wed, 09 Jan 2013 22:56:32 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/09/2013 08:14 AM, saghar estehghari wrote:
Hey, The application is a sort of secure payment with NFC. However the tag is passive (not connected to any network) and it's the mobile app's responsibility to communicate with the server. The whole system works with certificates and signatures for authentication. This implies that the server generates a certificate for each user, user authenticates itself with the certificate to the tag. The tag then uses the info inside the certificate to do computation. All communications are encrypted. But as reading more about vulnerabilities about android apps, and I should save the certificates on the mobile device, I want to make sure that nobody can sees the contents of the certificates by encrypting them. As for Public/Private key, I though about the same solution. As the server will generate the pair of keys and this will be transferred to the mobile app. But as for storing the private key on the mobile app, do you think the a keystore on android would be safe place to store the key? For PIN code, do you think the entropy of 6 digits is low? I can't use passwords, as the client needs an easy to use application. If I use PBKDF2 and an attacker reverse engineers the application can it gets the key? Thanks Saghar
PBKDF2 uses the PIN and a salt in combination, which are run through the PBKDF2 algorithm to generate a key. The salt increases the entropy of the PIN, because its (in theory) a secret that is only found on the device hardware. As long as the device is trusted, the key is secure as well: thus, if I understand your concern, even given the source code of the program, the individual user keys could not be reverse engineered. It's not as effective as employing a better password, but it will prevent someone from just creating rainbow tables. As for where to store private keys: although I'm not familiar with the Android system structure, each key should be independently encrypted, with the most obvious choice being to use a PBKDF2 output to encrypt them. That will ensure that someone grabbing the contents of the internal memory is still left with an encrypted, and to them useless file. As a general rule, most systems that use asymmetric encryption inherently encrypt the private key (certificate) by default. This will mean that you will not have to rely upon system X's default security; you can enforce it on your own. The risk with using a salt though is that given a loss of the salt, you lose access to any data encrypted with the key, so incorporating a way to back up the salt would be beneficial. landon - -- Violence is the last refuge of the incompetent. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCgAGBQJQ7jvwAAoJEDeph/0fVJWsDtwP/jdHrhf462IGzaqZcaYig7jF gkwirLbRS8J93qwutT5IiiK8KuWTHgZ7Q56dgWfzMvkPn8eN1M+W++vMddofq4ok /VIbLpEQvBAVgy7/7fkGeI10rVz9Xnf87gB3PpSlWGDORbdPmXFAP54/BnmA8Nm1 RmJDuw1F8hVm8Qu32QNO0aGHar1YHneNrs0bzW6gPy6payZ5Hv0pDrBJEx9lIjQg vlydQgGeH+eX36oG4LvMAIjR6CkpUFxmNKtivBW94K/GLNt3WdcV6ETITk0o64LM NFwPpCSqXy7wpcTT2dX+kPpADIlYsHanA6YEd8kS5LdIG+PJO/5lDOIE+/gewVNP aWBFawI4WkhHOnXn2LW/u/uFY8U91TAobpu5D7/Plf6UhTk3QIq7CfS3sI80aema slgsv3NA3X1ARcq0FIdrXC3pv+C1ArvuoQKY5B4sOZpMPNqLIJws9LDxqnaIDC4p 0DUdBadKGW021xXPZvxxCyB7NgWs03qYvN0EV4jUxt8NTaLb4HJZdEo6IcDX4Yrp 6lI1IRmS4RNhLKhsvKeaTx/Aq+SK7JFRcZM/rXu+f8c0y6p4IO7UG3PsB3GCP7m0 uqq/4H37JV7hjihmt6AeBVM2IQkqBQbHu7Ga5NqCe+7Oyuag5OmwIYlejdGsgeiI tIHk5EcyU9zLVyhGi6Qf =zSeu -----END PGP SIGNATURE----- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Scott Herbert (Jan 09)
- Message not available
- Re: encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Landon Hurley (Jan 10)
- Re: encryption in android apps saghar estehghari (Jan 09)
- Re: encryption in android apps Jamie Riden (Jan 09)