3

I have 'secured' the communication between my android application and a tls server providing a financial transaction service, currently in development.

The security credentials are stored in a BKS keystore included in the Android apk. The password to the keystore is visible in plain text in the application source:

keyStore.load(is, "passwd".toCharArray());

I am concerned that if someone was to reverse engineer the app, they would be able to impersonate another user and compromise the security of the service.

I was wondering whether there is a fault in my implementation, if anyone else has this concern, and what the best method of securing against this possibility is.

J0hnG4lt
  • 4,337
  • 5
  • 24
  • 40

4 Answers4

2

Whenever you store security data on the client it can be compromised by reverse engineering. You may try to obscure it in the code but determined hacker will figure it anyway. So the only way to make it more secure is not to have the password openly in the code. May be you can just ask user for some pin code at the start of the application and use it to decrypt the password?

Alex Gitelman
  • 24,429
  • 7
  • 52
  • 49
  • Surely the password would have to be encrypted using this pin first, and hence would need to be in plain text? – J0hnG4lt Sep 09 '11 at 16:57
  • If you are running server, have user authenticate first on the server with pin then return password via SSL. – Alex Gitelman Sep 09 '11 at 17:22
  • 1
    How does the server get the PIN in order to authenticate it? Any authentication credentials should be over a secure connection (which doesn't exist at this point in the process) or encrypted based on an agreed encryption protocol (which is a possibility). – J0hnG4lt Nov 23 '11 at 16:28
2

Are credentials stored in your app unique per user, i.e. every user gets it own apk with unique credentials? If you only have one apk with same credentials then this is as good as no security. Even worse, it gives false feeling of security.

You (your employer) should really hire a security expert to design your system from security point of view.

Here's what I'd do:

  1. App comes without security credentials.
  2. Every user is generated security credentials on server.
  3. Every user gets secret activation code which is generated in secure environment and delivered via alternative channel. Preferably via snail mail. Activation codes are time-limited and can be used only one time.
  4. On first use user types into app the activation code which enables a one-time download of credentials over a secure (https) channel.
  5. User provides password to encrypt the credentials while stored on device.
  6. Every time the app is used user must provide this paswword. If app is not used for some time the app must timeout the session and ask for password again when user wants access.

But don't take my word for granted. You still need a security expert if there are financial transactions involved.

Peter Knego
  • 79,991
  • 11
  • 123
  • 154
1

I believe that Diffie-Hellman Key Exchange is what I was looking for. I'd rather not have to re-implement my own version of DH using a complicated process which involves the user.

J0hnG4lt
  • 4,337
  • 5
  • 24
  • 40
  • DH is implemented on Android (search SO to find examples). It's also used as part of HTTPS. But I don't see how it's going to help you securely store the password. – Peter Knego Nov 23 '11 at 20:27
  • Unless I'm missing something, it will allow me to drop the BKS key stored with the application that is used to secure the connection with the server. The key exchange will create a new key for each session with the server, dropping the requirement for a stored key. I'll implement it and report back. – J0hnG4lt Nov 24 '11 at 10:28
  • 1
    This is then the same as using https, without the protection for MITM attacks. – Peter Knego Nov 24 '11 at 11:20
  • 2
    Just use HTTPS with a valid cert on server and a user login to identify users (if needed). – Peter Knego Nov 24 '11 at 11:22
  • John,What solution did you use then? – rohitverma Mar 03 '13 at 11:41
0

currently programming for a Processing company-

their are a set of rules and regulations for a transaction application -OR- a POS APP(Point Of Sale application)

the rules are listed online as PCI validation, a certain amount of security has to be issued or it will be a law suit from Visa,inc or Many other Company's.

about your Question, it doesn't follow PCI compliance as that is a security issue.

please read the PCI compliance so that their is a complete understanding of Security, its not good to compromise Cardholder Data.

:)

Keeano
  • 309
  • 8
  • 33
  • Also try to implement a Restful API. – Keeano Sep 09 '11 at 16:43
  • Thanks for the comments: I do realise the security implications: hence the question. I would like to approach this from a technical standpoint, to discover what the SO recommends regarding this specific case. There are a number of other android applications out there that are secured in this way, that might benefit from this discussion. – J0hnG4lt Sep 09 '11 at 16:48