18

I just read this article http://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html where I learnt to generate security key.

I want to know how to save this generated key securely so hackers wont get this even phone is rooted.

If we save this SharedPreference, Storage then hacker can get this.

Thanks.

N Sharma
  • 33,489
  • 95
  • 256
  • 444
  • 1
    If the phone is rooted there is no way to prevent a hacker to retrieve the key as malware could run with root permission and read everything on your device. – Frank Sep 26 '16 at 08:51
  • @Frank I understand, this is why i asked here. Shared link is to make secret key secure – N Sharma Sep 26 '16 at 09:53
  • read this , might help http://stackoverflow.com/questions/38989274/how-to-prevent-assets-files-from-reverse-engineering-in-apk/38989771#38989771 – Pavneet_Singh Sep 28 '16 at 10:37
  • Is the key "app-specific" (the same on all devices) or "user-specific" (every user has it's own key generated on first start of the app)? – Robert Sep 28 '16 at 10:54
  • User is trying to invent security down vote. – danny117 Oct 04 '16 at 18:15
  • I recommend you look at how the [Signal](https://github.com/WhisperSystems/Signal-Android) app does it. – code_dredd Oct 05 '16 at 08:11

5 Answers5

14

This is the overall problem with keeping access to the sensitive data. There is always a way to decrypt, then the encryption key might leak.

You might use EncryptedPreferences to store simple data in an encrypted way.

However just a quick look into source code reveals, that you must pass a password on app init.

EncryptedPreferences encryptedPreferences = new EncryptedPreferences.Builder(this).withEncryptionPassword("password").build();

This is security leak, if the password is hardcoded. This is not preferred method.

You might make use of the link you provided and generate a One-time pad.

public static SecretKey generateKey() throws NoSuchAlgorithmException {
    // Generate a 256-bit key
    final int outputKeyLength = 256;

    SecureRandom secureRandom = new SecureRandom();
    // Do *not* seed secureRandom! Automatically seeded from system entropy.
    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
    keyGenerator.init(outputKeyLength, secureRandom);
    SecretKey key = keyGenerator.generateKey();
    return key;
}

Of course an ideal situation is taken into account, where the key generating function is ideally random.

Generate this key on first application start and use it in the library, which link I provided before.

Advantage: the key is different for each application installation. That means if the cracker got to know the method how cipher works, he is still unable to decrypt other devices as long as he does not have an access to such device's SharedPreferences.

R. Zagórski
  • 20,020
  • 5
  • 65
  • 90
  • I have to save key to save data in shared preference later for encryption, right ? again if i save this key then again if phone is rooted then someone can get it – N Sharma Sep 29 '16 at 18:32
  • Yes, that is right. But the access only to this device and only this one. The overall encryption of the application on other phones is preserved. As the overall sentence about encryption says: the cipher is corrupted if the encryption key is leaked. – R. Zagórski Sep 29 '16 at 20:41
3

if Android is rooted, there is no way to secure any thing, so you should better look for architectural changes in your application.

Example : WhatsApp

Upon installation, WhatsApp creates a user account using one’s phone number as the username (Jabber ID: [phone number]@s.whatsapp.net). A password is generated using an unknown algorithm on the server end and sent to the client.

But if phone is rooted you can easily extract this password as mention here.

WhatsApp uses End-to-End Encryption, it stores all its data in encrypted form in internal storage.

Example : Snapchat

Snapchat has stated that Snapchatters using a Rooted Android device will be blocked from logging in.

Suggestion

What you can do is to use the mixture of techniques by both giant applications WhatsApp and Snapchat i.e

  • Block the phones that are rooted
  • Make sure to make password "User-Specific" (every user has it's own key) rather than "App-specific" (the same on all devices)
  • Save password on Server, and fetch it on every start of the application (validate and delete, do not store)
  • Make sure all your data is in encrypted form
shanraisshan
  • 3,521
  • 2
  • 21
  • 44
  • So, compromise the server and now *all* user keys are compromised. If WhatsApp works that way, then the E2E encryption is basically compromised anyway, as the company/ies already have the encryption keys and a simple subpoena (if that much is even required) will get them to hand over the keys to decrypt your content. It's a lot more difficult/effort to compromise individual phones than it is to compromise a single server (bad ROI). Do what Signal does: create the key locally in the phone during installation, destroy it when the app is uninstalled, and securely wipe data encrypted with that key – code_dredd Oct 05 '16 at 08:10
  • FYK WhatsApp End-to-End Encryption is implemented by the Signal team https://whispersystems.org/blog/whatsapp-complete/ – shanraisshan Oct 06 '16 at 09:31
  • I guess I got a different impression from some of the wording in your post and was not aware that WA was now doing the same thing. Thanks for the info update. That was definitely not what they were doing a mere few months back. – code_dredd Oct 06 '16 at 11:23
1

If you are generating and using the key in the application, it may be interesting to use the new (API 18+) Android Keystore Provider. The key is stored by a special secure service, which may use secure hardware if available.

It does not store an existing key (created elsewhere), but allow you to create and use keys without having access to the secret key itself. The idea is that the secret key never leaves the secure service, so that nobody can extract it, even your application (or root, if a secure hardware is used).

It also allows you to put restriction on how the key is used (e.g. for a fixed duration after the user authentication)

bwt
  • 17,292
  • 1
  • 42
  • 60
0

Root user has the permission to do anything on your android device. No matter where you save your generated key, a process running as root will be able to read it (as long as it knows where to read from). You may decide to encrypt the key before storing it, but then you have to determine where you will save the encryption key (again, if it's on the phone, root user can read it).

You may consider to ask the user of your app to provide the encryption key, and not store the encryption key on the device. However, even then it may be possible to get hold of that encryption key given enough time and effort from an attacker.

You should consider the requirements of your app, most probably, when the device is rooted your application should not provide any security guarantees to your users. After all, there is a reason why rooting your device voids the warranty.

oldbam
  • 2,397
  • 1
  • 16
  • 24
0

Rule one of security. Don't invent your own security. You can't create a way to store a private key safely on any device. When you've just learned to generate a key.

I just read this article http://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html where I learnt to generate security key.

A way that has already been invented is to make the user enter a string (something that is not saved on the phone) and use the the string for encryption.

The unsaved string method is easily broken by copying the ROM to a powerful machine and using brute force.

danny117
  • 5,581
  • 1
  • 26
  • 35