I'm using amazing FPS and I have to store the secret key in the java code. However I am afraid that someone would decompile my apk and find the key. I have decompiled the apk myself and could not find the key, but I am not a VM expert. Any help?
Asked
Active
Viewed 3,175 times
6
-
7You cannot "really" prevent people from decompiling any program. Your security model had better take that into account. :-) – C. K. Young Jan 03 '10 at 04:40
-
If i do load it from the webserver (the key), how do i ensure that the request cant be made by anyone else (assuming decompile) – Faisal Abid Jan 03 '10 at 04:48
-
http://en.wikipedia.org/wiki/Public-key_cryptography might be useful for authenticating requests. – Adam Luchjenbroers Jan 03 '10 at 04:52
2 Answers
8
You can't put your encryption key into your application and expect it to remain a secret. All it takes is for one determined programmer to decompile it and find the key, and they can share it with the world.
Asymmetric/public-key cryptography is exactly the solution you want. Create a public/private key pair, then put the public key in your application and keep the private key yourself. Then you can do two things:
- Your application can encrypt a message using the public key, that can only be decrypted using the private key.
- Or, you can sign a message using the private key, that can be authenticated using the public key in your application.
dmazzoni
- 12,866
- 4
- 38
- 34
-
true. but if you put the private key or public key in the app, they can use that one as well to decrypt the key. – Patrick Boos Mar 09 '11 at 00:17
-
1@Patrick Boos: That's quite the point of asymmetric crypto: you can't compute the private key from the public key. The way this works is that you *encrypt* on your server, using private key (which you aren't sharing with anyone, it is only on the server), and the app on the client has the *public* key with which it can decrypt; also, the app on the client signs with the *public* key, and server verifies using the private key. *Public* keys are intended to be shared freely. – Piskvor left the building Apr 26 '11 at 11:23
-
@Piskvor In order to be secure public key cryptography requires that private keys are kept secret. But what if somebody got a private key stored in the application (e.g. by decompiling it)? Then he or she can still read all the secret data encoded with the public key (exactly as the original application). Is there a way to prevent this? – Piotr Apr 29 '11 at 21:40
1
A determined enough individual will be able to extract your key, and there really isn't that much that can be done about it. You can attempt to obfuscate the keys somehow (raising the bar on how determined they need to be), but you can't keep them from getting the key.
However, depending on why you need to store the secret key, you might be able to use Asymmetric Key Cryptography. You'll be able to store a public key that may be limited to encryption (not decryption) or authentication purposes, while being able to keep the private key safe.
Adam Luchjenbroers
- 4,917
- 2
- 30
- 35
-
1The public key is only useful for encryption and signature verification. – President James K. Polk Jan 03 '10 at 05:21