Geek Answers Handbook

Good practice: how to handle keystore passwords in android / java?

Assuming that the password for the keystore is not provided or is not tied to the user's password (which more or less means simply a string or array [] in the code somewhere), is this sufficient protection that it simply cannot or can hardly extract from bytecode?

I know that the password for the keystore (JKS / BKS) is used only to verify the integrity of the keystore. In addition, it is very clear that I have to assume that the application runs in a more or less trusted environment in order to be “secure”. But anyway, is it possible to extract the password only from the apk file?

It seems that it is wrong to type any password in the application source, so there may be some ideas on how to make this actually less dangerous. For example. would it be better to make the password customizable in an external configuration file or create it randomly during application installation (and where should it be saved)?

+8
java android security password-protection keystore
source share
3 answers

Is this enough protection that it simply cannot or can hardly extract from bytecode?

“Enough” is a subjective term; only you can determine what you think is enough for you.

Is it possible to extract password only from apk file?

Yes, since APK files can be decompiled, unencrypted network conversations can be sniffed, etc.

how to make it actually less threatening

You can buy a license for DexGuard and use it because it will encrypt string strings, such as your password. Regardless of whether additional protection is worth it, your decision.

it would be better to make the password customizable in an external configuration file

Anyone who root the device can get the file.

or randomly generate it during application installation (and where should it be saved)?

It will be stored somewhere, accessible to users with root devices, at a minimum.

+4
source share

The most common way to encrypt keystores is with a password, but this is optional.

Saving a password close to the keystore is more or less equivalent to having a keystore that is not encrypted. This can be perfectly normal. For example, it is not uncommon to have unencrypted keystores with both certificates, private keys on servers where the keystore file is protected by other means.

The type of attack that you seem to be trying to defend against this is that someone could modify the contents of the keystore. The password can be used to verify the integrity of the keystore, but only if it is not known to the attacker. He cannot think of a typical scenario where an attacker will have access to your keystore, but will not have access to the bytecode of your application or other application configuration.

The file system for an Android application is reasonably protected, but not bulletproof. If you do not trust this file system, you need to encrypt the keystore with a password that the user enters or retrieves from another location outside the device. On the other hand, if you trust the file system, you actually do not need to encrypt the keystore (or you can encrypt it with a well-known password if this will simplify your development).

+3
source share

Try using null instead of password (see this question )

final KeyStore keyStore = KeyStore.getInstance("BKS"); keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), null); final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManager.init(keyStore, null); final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustFactory.init(keyStore); sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
+1
source share

More articles:


All Articles