Geek Answers Handbook

Which is the safest way to include a key pair (public / private) in apk

I am developing an Android application and I have to maintain a secure connection to the server through a pair of private and public keys. What is the safest way to store the secret key in my apk? Obviously I'm going to confuse the code, but I want more security. I thought of the following option:

If I create my own section library with methods for signing transaction information, apk should contain only the .so file and this file is in machine code, so decompilation can be complicated, right?

any ideas? Thanks

+7
source share
2 answers

Store the key pair in the keystore and specify the keystore as a resource in the APK. Android usually prefers the BouncyCastle Key Store (BKS) format. Keystores are specially designed for this purpose.

Please note that you must protect the keystore with a password, and your application will need to know this password to access the keystore. Thus, it remains for you to ask the user to enter a password to access the keystore or to include the password in his code (obfuscate it to make it more difficult for an attacker who can reverse engineer). If someone encounters the problem of reverse-engineering your application to recover the encrypted keystore and password needed to access it, including this password in the compiled source library will not be a significant additional obstacle.

However, you may not need to do this anyway. If your goal is to protect / encrypt data in transport to / from the server, use SSL / TLS. If you do not use client-side authentication, your server needs an SSL certificate, but your client does not; The protocol provides secure creation of encryption keys for you. If you want the server to authenticate the client (so that your server only talks to your clients), you need to install an SSL certificate on the client side with your application ... this is the private key that you use, it thinks.

I will also point you to "Application Security for the Android Platform" . This book (disclaimer: I wrote a book) has a whole chapter that talks about how to create a secure connection between Android applications and the server, with code examples, to illustrate how to implement appropriate security measures. You can read it.

+4
source

First of all, to ensure a secure connection between your client application and the server, conceptually speaking, you only need the public key of the server. This allows you to establish a one-way trust with the server and establish a secure session in which server authentication is guaranteed.

Although the above method does not provide two-way trust (the client cannot be identified on the server), when establishing the communication channel in most applications, this level of trust is not required.

If your requirements are to ensure that the client is authenticated on the server using public / private keys, then everything becomes more complicated, because if you put the key in apk, no matter how confusing it is (including embedding it in your own library ) it will only slow down the work of a loyal vile user.

The only way to save the private key with the client is to encrypt it. But then you have a similar problem with where to store the decryption key. The simplest solution is to create a public / private key pair for the client application user and ask the user to provide a symmetric encryption / decryption key (which the user will always have to enter) to decrypt the private key each time the user uses the application.

An alternative would be to use some specialized cryptographic hardware device, like a smart card, which stores the secret key securely, but you still have the problem of authorizing your application to read the key from the device (not to mention the complication of interacting with the specified device).

Now the question that you should ask yourself is: "Who are you trying to not read the secret key?" (of course, after answering another question: "You really need a public / private key pair for the client").

+2
source

More articles:


All Articles