Android storing key, decompiling fear

Asked 3/1, 2010 at 4:29 Answered 3/1, 2010 at 5:33

I'm using amazing FPS and I have to store the secret key in the java code. However I am afraid that someone would decompile my apk and find the key. I have decompiled the apk myself and could not find the key, but I am not a VM expert. Any help?

Eviaevict answered 3/1, 2010 at 4:29 Comment(3)

You cannot "really" prevent people from decompiling any program. Your security model had better take that into account. :-) – Gnome 3/1, 2010 at 4:40

If i do load it from the webserver (the key), how do i ensure that the request cant be made by anyone else (assuming decompile) – Eviaevict 3/1, 2010 at 4:48

en.wikipedia.org/wiki/Public-key_cryptography might be useful for authenticating requests. – Levantine 3/1, 2010 at 4:52

You can't put your encryption key into your application and expect it to remain a secret. All it takes is for one determined programmer to decompile it and find the key, and they can share it with the world.

Asymmetric/public-key cryptography is exactly the solution you want. Create a public/private key pair, then put the public key in your application and keep the private key yourself. Then you can do two things:

Your application can encrypt a message using the public key, that can only be decrypted using the private key.
Or, you can sign a message using the private key, that can be authenticated using the public key in your application.

Erastian answered 3/1, 2010 at 5:33 Comment(3)

true. but if you put the private key or public key in the app, they can use that one as well to decrypt the key. – Dermatoglyphics 9/3, 2011 at 0:17

@Patrick Boos: That's quite the point of asymmetric crypto: you can't compute the private key from the public key. The way this works is that you encrypt on your server, using private key (which you aren't sharing with anyone, it is only on the server), and the app on the client has the public key with which it can decrypt; also, the app on the client signs with the public key, and server verifies using the private key. Public keys are intended to be shared freely. – Aplacental 26/4, 2011 at 11:23

@Piskvor In order to be secure public key cryptography requires that private keys are kept secret. But what if somebody got a private key stored in the application (e.g. by decompiling it)? Then he or she can still read all the secret data encoded with the public key (exactly as the original application). Is there a way to prevent this? – Lourdeslourie 29/4, 2011 at 21:40

A determined enough individual will be able to extract your key, and there really isn't that much that can be done about it. You can attempt to obfuscate the keys somehow (raising the bar on how determined they need to be), but you can't keep them from getting the key.

However, depending on why you need to store the secret key, you might be able to use Asymmetric Key Cryptography. You'll be able to store a public key that may be limited to encryption (not decryption) or authentication purposes, while being able to keep the private key safe.

Levantine answered 3/1, 2010 at 4:51 Comment(1)

The public key is only useful for encryption and signature verification. – Gerhardt 3/1, 2010 at 5:21

Recommended topics

Hot tags