Hi, > I code that secret key into my app. * String secretKey="mysecretkey";* > > Given the ability to decompile .dex files, is this secure enough?
You only need to open the .dex file in a text editor to see the "mysecretkey" string, so decompile is not even necessary. Dianne gave one of the best answers and the following might also help you find a best answer possible, but it really depends on what you are willing to accept as being secure enough for your application. http://en.wikipedia.org/wiki/Public-key_cryptography The very obvious answer is to get the user to enter the secret key each time they use your application, but that is not generally practical and is unlikely to be recommended. Regards On Sep 15, 10:14 pm, Carmen Delessio <carmendeles...@gmail.com> wrote: > Forgive me if there is a very obvious answer to this question, but I want to > have the best answer possible. > > >I must implement a system that needs to store some information at some > > times in application lifetime.>This information must not be deleted / > modified in any way because of > > security issues (the user could trick the system). > > This is a scenario that is very similar to using APIs with secret keys. > I , as a developer, have been given a secret key that is required for the > API. > I code that secret key into my app. * String secretKey="mysecretkey";* > > Given the ability to decompile .dex files, is this secure enough? > > I can think of other ways to do this, but what are the recommendations. I've > looked at the Android Security FAQ and googled for an anwer. > Thanks, > Carmen > -- > Carmenhttp://www.twitter.com/CarmenDelessiohttp://www.talkingandroid.com > > On Tue, Sep 15, 2009 at 4:15 AM, Dianne Hackborn <hack...@android.com>wrote: > > > By definition, if the user has root, they can get to whatever they want. > > Now you can make this more difficult for them, by doing things like > > encrypting your data and trying to be as careful as you can about where you > > put the encryption key (for ex get it over the network, only keep it in RAM, > > never let it be written to storage), but you would probably want to do that > > yourself since relying on the platform to do so just makes it easier for the > > user to subvert. > > > On Mon, Sep 14, 2009 at 11:07 PM, Andrei Bucur > > <andrei.bu...@gmail.com>wrote: > > >> So basically storing private data on the phone is actually impossible? I > >> must implement a system that needs to store some information at some times > >> in application lifetime. This information must not be deleted / modified in > >> any way because of security issues (the user could trick the system). > >> Is there a way to this on a rooted phone (I'm pretty sure it's not... but > >> the question worths a shot)? > > >> Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
