How to safely use passwords inside an Android application?

0

I'm developing an Android application where I need to authenticate the app user and return some information, but this information will be in a remote database (MySQL), so I developed an API that receives a GET or POST value with a string encrypted and returns the values of the user, in this case I am using AES encryption that needs a key for encryption and decryption.

My concern is: how to use this static String AESKey key for AES encryption within the android application without running the risk of the application being broken and the key being viewed?

    
asked by anonymous 17.10.2014 / 22:58

1 answer

1

The best way to answer the question is:

Do not save your password in the code, as it will be easily read.

Of course, a solution to your question depends a lot on the service that your application is connecting to ... but starting from the point where you have access to the application and the server ...

The path you are going to want to follow besides needing encryption will clearly need to work with certificates, etc. Protecting your password is the least of the problems you will face on this journey, where the rule of thumb is ... never, but never save a password in the code when security is a requirement.

That said, I would like to point out that from experience, the level of security that you will certainly implement will be proportionally linked to the importance that the market / users place on your application. This is because for any of us who create applications the importance on our creation is always maximum.

However we often forget to look at the reality of it.

Realizing that I am looking for a technical answer to this problem and in order to better help with this issue and what you are implementing ... I have indicated several solutions ... but all very questionable with regard to security: p>

  • Obfuscate code

  • make the password as random as possible

  • Use strong algorithms

  • etc, etc .. etc.

    Looking at your code snippet and realizing that you need to manage a password that will be used in the communication between two points in order to be as confidential as possible ... and assuming that the password can be dynamic, and not enforced by the server you are connecting to, and if the SSL expense is not in your best interest then why not use the Diffie-Helman algorithm. That is, through the mathematical model it is possible for two points to agree on a key with each new connection.

    In this way you will never need to save passwords. Warning: this algorithm is permissible to man-in-the-middle attacks ... and so once again ... SSL is required.

        
    20.10.2014 / 16:28