Web Application Security
encryption in android apps Jan 09 2013 10:00AM
saghar estehghari (s estehghari gmail com) (2 replies)
Re: encryption in android apps Jan 09 2013 12:32PM
Scott Herbert (scott a herbert googlemail com)
Re: encryption in android apps Jan 09 2013 12:20PM
Jamie Riden (jamie riden gmail com)
On 9 January 2013 10:00, saghar estehghari <s.estehghari (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> In my android application I need to save several sensitive files and I
> want to encrypt them.
> But I have doubts the way to store the key on the device!
> The application is protected with PIN code and the is also
> communication with the back-end server. But such communication should
> be as
> less as possible. This implies that I can't store the secret key on
> the server and get it whenever needed.
> So does anybody has a practical solution?
> Thanks

I'm not an Android expert, but traditionally you would require a
password for the app - something with enough entropy, which a PIN is
unlikely to have - and then use PBKDF2 or similar to derive a key from
this password. The secrets on the device would then be stored
encrypted with this key, so only people who know the password can
access them.

You could do the same with a PIN, but if someone recovered the
encrypted files, it would be trivial to brute-force for PINs of say,
six digits or less.

Unless I'm missing something?

Jamie Riden / jamie (at) honeynet (dot) org [email concealed] / jamie.riden (at) gmail (dot) com [email concealed]

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus