Isn't java byte code remarkeably easy to reverse engineer into source
code using one of many free java decompilers?
>From my understanding, even using an obfuscator on the byte code (if
that is possible with android implementation) isn't terrible effective
at preventing decompilers from doing a good job of reconstructing your
code.
I am also trying to work out a method of securely encrypting private
information (not critical, like account information or passwords) but
short of forcing the user to enter a password/pin (which I don't
want), I can't see how it would be easy to prevent a decompiler from
easily determining your encryption strategy (algorithm &
secret_key).
Any ideas?
thanks,
Jim
On Aug 27, 2:29 am, zeeshan <genx...@gmail.com> wrote:
> i am just protecting some images (about 500) i downloaded on sdcard.
> on the first run it downloads and write each by CipherOutputStream and
> for the next time it decrypt those images by CipherInputStream.
> a static key works at the moment
>
> On Aug 26, 3:07 pm, Haravikk <harav...@gmail.com> wrote:
>
>
>
> > The more important question I think is why are you doing this, what
> > information are you trying toprotect?
> > It seems like you're adding encryption for the sake of it, but in fact
> > your solution won't be much more secure against someone determined to
> > get at the file's contents. If the key is static, then it is easier to
> > break, but if it changes then it would need to be stored, making it
> > easier to access.
>
> > One alternative is to generate the secret-key using a sufficiently
> > hard to guess algorithm, using some information about the device, so
> > that the key used is very different for every user, reducing the
> > change of simple comparisons being able to break your encryption.
> > However, someone clever could still probably figure out how your
> > encryption works by examining the Java byte-code, as while it's tough
> > to get your head around it's not impossible to understand.
>
> > Perhaps in your case the effort required to break the encryption might
> > be more than it's worth to get into the file, but if you let us know
> > what kind of information you're hoping to store, then perhaps we can
> > give you some better solutions? If it's something "dangerous", like
> > payment details or something, then you need the most rock-solid
> > solution possible, but if it's something minor then encryption may be
> > a waste of time entirely.
>
> > On Aug 26, 2:46 pm, zeeshan <genx...@gmail.com> wrote:
>
> > > key never change once its been created.
>
> > > as i know SecretKey generates by a funtion as above, how can i set it
> > > as constant
> > > can you plz provide example?
>
> > > On Aug 26, 1:39 pm, Sujay Krishna Suresh <sujay.coold...@gmail.com>
> > > wrote:
>
> > > > On Wed, Aug 26, 2009 at 5:41 PM, zeeshan <genx...@gmail.com> wrote:
>
> > > > > key doesn't change.
> > > > > can i store keyString in preferences to retrieve for decryption
>
> > > > yes that'd be better than storin it in a file. But better to jus have a
> > > > constant field in ur class that cointains ur key.
>
> > > > > SecretKey key = KeyGenerator.getInstance("DES").generateKey();
> > > > > byte[] keybytes = key.getEncoded();
> > > > > String keyString = new String(keybytes);
>
> > > > If u r gonna execute these set of statements then wont the key change??
>
> > > > > or plz provide any example for the best practice
>
> > > > > On Aug 26, 12:28 pm, Sujay Krishna Suresh <sujay.coold...@gmail.com>
> > > > > wrote:
> > > > > > If it is only used by ur application, jus use a String instance to
> > > > > > hold
> > > > > the
> > > > > > key. y store in a file??
> > > > > > ll the key change dynamically???
>
> > > > > > On Wed, Aug 26, 2009 at 4:55 PM, zeeshan <genx...@gmail.com> wrote:
>
> > > > > > > encryption and decryption is the app's internal functionality.
> > > > > > > user
> > > > > > > has nothing to do with this
> > > > > > > i encrypt the file on 1st run and on 2nd run i check if file is
> > > > > > > there
> > > > > > > then decrypt and show.
> > > > > > > so only thing i understand is to store the key somewhere in the
> > > > > > > app so
> > > > > > > i can access it for decryption.
> > > > > > > just wondering if this help
> > > > > > > File keyFile = new File("data/data/package name/key");
>
> > > > > > > i followed this link for encryption and decryption
>
> > > > > > >http://www.java2s.com/Tutorial/Java/0490__Security/UsingCipherInputSt.
> > > > > ..
>
> > > > > > > On Aug 26, 12:11 pm, Sujay Krishna Suresh
> > > > > > > <sujay.coold...@gmail.com>
> > > > > > > wrote:
> > > > > > > > I think its better to ask the user for the secret key rather
> > > > > > > > than
> > > > > storin
> > > > > > > it
> > > > > > > > smwhere.
>
> > > > > > > > On Wed, Aug 26, 2009 at 4:30 PM, zeeshan <genx...@gmail.com>
> > > > > > > > wrote:
>
> > > > > > > > > Hi Dear,
>
> > > > > > > > > i wrote a small application which encrypt some files using a
> > > > > > > > > secret
> > > > > > > > > key.
> > > > > > > > > i need to decrypt files on 2nd run which requires same key
> > > > > > > > > again
> > > > > > > > > plz advise where should i store the secret key.
>
> > > > > > > > --
> > > > > > > > Regards,
> > > > > > > > Sujay
> > > > > > > > Mike Ditka <
> > > > >http://www.brainyquote.com/quotes/authors/m/mike_ditka.html>
> > > > > > > -
> > > > > > > > "If God had wanted man to play soccer, he wouldn't have given us
> > > > > arms."
>
> > > > > > --
> > > > > > Regards,
> > > > > > Sujay
> > > > > > Pablo Picasso<
> > > > >http://www.brainyquote.com/quotes/authors/p/pablo_picasso.html>
> > > > > > - "Computers are useless. They can only give you answers."
>
> > > > --
> > > > Regards,
> > > > Sujay
> > > > Jonathan
> > > > Swift<http://www.brainyquote.com/quotes/authors/j/jonathan_swift.html>
> > > > - "May you live every day of your life."- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers-unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
