How to store a protected string in Android?

Question

How to store a protected string in Android?

Are there any clear examples of using KeyStore in Android?

I can’t understand how I can protect my password / token / anything_else in the Android application in the ROOTED device from being used by hackers who have physical access to the device.

I understand that I can generate KeyPair with some ALIAS and use it as a private key as a database password, for example, but I am wondering: can any hacker read this ALIAS from my decompiled apk (because I cannot obfuscate the alias string) and create another application that uses the same ALIAS to get privateKey with android KeyStore?

Any solutions?

+6

android security passwords keystore

Andrew Vasilyev Apr 27 '16 at 11:25

source share

2 answers

Scott Arciszewski · Answer 1 · 2016-09-14T21:00:42+0000

I can’t understand how I can protect my password / token / anything_else in the Android application in the ROOTED device from being used by hackers who have physical access to the device.

You can not. Client authentication is not a server issue .

Let's say you store the encrypted value in your application, and not save the value directly. Where is the key to decrypt this value? An application must decrypt this value. Now all the hacker needs is to download your .apk, connect it to Lobotomy, and they will quickly understand what is happening.

You'd better never post sensitive information about the device itself if you want to hide it from the people who run your software.

danesz · Answer 2 · 2016-09-14T21:15:09+0000

Do you need to save the key in the application?

What to do if during the first installation you ask the user to set a password, you will encrypt your SQLCipher DB with this key (possibly a hash file), and then every time the user launches the application, you request a password.

How to store a protected string in Android?

More articles: