Thanks, Understanding that PGP and encryption are generally what is required, I want to get a handle on implementing security in an enviroment where:
1. Developers can have a rooted phone 2. Developers can decompile your code #2 is what makes this more difficult. On a web server, I can be reasonably assured when I use Java that you can't get my compiled class and decompile it. Starting with the specific non-secure example: > I code that secret key into my app. * String secretKey="mysecretkey"; That is not secure. "mysecretkey" is readable in the .dex file. Thanks for pointing that out. I can encrypt it using a method like those here: http://www.j2ee.me/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#SimpleEncrEx Android has classes to support this: http://developer.android.com/reference/javax/crypto/KeyGenerator.html * Let's say, I use the suggestion to get my secret key over the network. * That would typically be fine, but since an ambitious developer could decompile the code that does this, is it secure? I'd be happy to be missing something obvious. I think this is important enough for the specifics to be discussed. In the example scenario, the "mysecretkey" would be the developer secret for an API like Twitter, Facebook ... So user entering it is not the goal. Thanks again, Carmen -- Carmen http://www.twitter.com/CarmenDelessio http://www.talkingandroid.com On Tue, Sep 15, 2009 at 10:07 AM, gjs <garyjamessi...@gmail.com> wrote: > > Hi, > > > I code that secret key into my app. * String secretKey="mysecretkey";* > > > > Given the ability to decompile .dex files, is this secure enough? > > You only need to open the .dex file in a text editor to see the > "mysecretkey" string, so decompile is not even necessary. > > Dianne gave one of the best answers and the following might also help > you find a best answer possible, but it really depends on what you are > willing to accept as being secure enough for your application. > > http://en.wikipedia.org/wiki/Public-key_cryptography > > The very obvious answer is to get the user to enter the secret key > each time they use your application, but that is not generally > practical and is unlikely to be recommended. > > Regards > > > > On Sep 15, 10:14 pm, Carmen Delessio <carmendeles...@gmail.com> wrote: > > Forgive me if there is a very obvious answer to this question, but I want > to > > have the best answer possible. > > > > >I must implement a system that needs to store some information at some > > > > times in application lifetime.>This information must not be deleted / > modified in any way because of > > > > security issues (the user could trick the system). > > > > This is a scenario that is very similar to using APIs with secret keys. > > I , as a developer, have been given a secret key that is required for the > > API. > > I code that secret key into my app. * String secretKey="mysecretkey";* > > > > Given the ability to decompile .dex files, is this secure enough? > > > > I can think of other ways to do this, but what are the recommendations. > I've > > looked at the Android Security FAQ and googled for an anwer. > > Thanks, > > Carmen > > -- > > Carmenhttp://www.twitter.com/CarmenDelessiohttp://www.talkingandroid.com > > > > On Tue, Sep 15, 2009 at 4:15 AM, Dianne Hackborn <hack...@android.com > >wrote: > > > > > By definition, if the user has root, they can get to whatever they > want. > > > Now you can make this more difficult for them, by doing things like > > > encrypting your data and trying to be as careful as you can about where > you > > > put the encryption key (for ex get it over the network, only keep it in > RAM, > > > never let it be written to storage), but you would probably want to do > that > > > yourself since relying on the platform to do so just makes it easier > for the > > > user to subvert. > > > > > On Mon, Sep 14, 2009 at 11:07 PM, Andrei Bucur <andrei.bu...@gmail.com > >wrote: > > > > >> So basically storing private data on the phone is actually impossible? > I > > >> must implement a system that needs to store some information at some > times > > >> in application lifetime. This information must not be deleted / > modified in > > >> any way because of security issues (the user could trick the system). > > >> Is there a way to this on a rooted phone (I'm pretty sure it's not... > but > > >> the question worths a shot)? > > > > >> Thanks! > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
