1

I have an android native app and for security reasons now the client says to encrypt SHA-1 key. I checked for the app for generated certificates it shows SHA-1 SHA-256 and MD5. How do I store it all securedly? I referred to these examples but confused about the implementation.In the entire app I looked I am unable to figure out how can I get and store it?In values.xml file all sensitive info is stored like google_api, Firebase details so I need to store it more securely. How can I do it?

Links referred

Links referred

Google developers

Abm
  • 271
  • 2
  • 15
  • SHA-1 key are you talking about? Do you want to implement certificate pinning for a HTTPS connection or do you want to check the certificate of at APK signature or what else. Depending on where the SHA-1 comes from the storage also can change. – Robert Jul 13 '23 at 06:51
  • @Robert - I want that SHA-1 should not be accessible by any unauthorized authority? – Abm Jul 13 '23 at 07:01
  • @Robert - In values.xml file all sensitive info is stored like google_api, Firebase details so I need to store it more securely. How can I do it? – Abm Jul 13 '23 at 07:14

2 Answers2

0

In your default config block in build.gradle file do the following changes:

Step 1:

defaultConfig {
       ...

        Properties properties = new Properties()
        properties.load(project.rootProject.file("local.properties").newDataInputStream())
        buildConfigField "String","SHA1", "\"${properties.getProperty("SHA1")}\""
        buildConfigField "String","SHA256","\"${properties.getProperty("SHA256")}\""
    }

Step-2

create SHA1=your_SHA1_keyproperties in local.properties

create SHA256=your_SHA256_keyproperties in local.properties

Step-3

rebuild the project after completing the above process

you can access your SHA1 key using BuildConfig.SHA1

sandeep-prabhakula
  • 53
  • 6
0

Code from https://gist.github.com/JosiasSena/3bf4ca59777f7dedcaf41a495d96d984 encrypts and decrypts text using your app key. To use it you should first run your app, with calling encrypt on your secret text. Log the encrypted string to logcat. Then read it from logcat and put this string in your source code. Before using this string, you should call decrypt on it and then you can use it later in your code. Remember to remove the code you used to encrypt your string - it was only temporary.

You can play with this code using this example application:

https://github.com/luskan/EncryptDecryptApp

In MainActivity change SAMPLE_ALIAS to whatever you want.

Encryption is done with this code:

        String textToEncrypt = "Your Secret"; // not encrypted yet
        final byte[] encryptedTextArray = encryptor
                .encryptText(SAMPLE_ALIAS, textToEncrypt);
        String encryptedText = Base64.encodeToString(encryptedTextArray, Base64.DEFAULT);

and decryption will look as follows:

        String encryptedText = "TAxdnTHhyEC34x510mMxqt2nAMrv7dMXWDjr";
        byte[] encryptedBytes = Base64.decode(encryptedText, Base64.DEFAULT);
        String decryptedText = decryptor
                .decryptData(SAMPLE_ALIAS, encryptedBytes, encryptor.getIv());

Note, that on each encryption the encryptedText will be different - this is a correct behaviour.

marcinj
  • 48,511
  • 9
  • 79
  • 100