Android Encryption Credentials

Hey,

I have some credentials on the tablet side for Android Development and I was looking for the best practices for being able to decrypt/encrypt them during run time so that any debugging of the application would prove futile once the application had been built.

Thanks for any time taken with this query.
LVL 2
PsychotextAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Good to check out below on best practices

the securecoding in CERT org (https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535), e.g. the DRD10-J. Do not release apps that are debuggable

the Android developer community
We also want to make sure the device is not rooted as his can inadvertently  allow an owner to gain root access for purposes of debugging applications and system components or to access features not presented to applications by Android APIs.http://source.android.com/devices/tech/security/#the-android-permission-model-accessing-protected-apis
On some devices, a person with physical control of a device and a USB cable is able to install a new operating system that provides root privileges to the user. To protect any existing user data from compromise the bootloader unlock mechanism requires that the bootloader erase any existing user data as part of the unlock step. Root access gained via exploiting a kernel bug or security hole can bypass this protection.

Encrypting data with a key stored on-device does not protect the application data from root users. Applications can add a layer of data protection using encryption with a key stored off-device, such as on a server or a user password. This approach can provide temporary protection while the key is not present, but at some point the key must be provided to the application and it then becomes accessible to root users.

A more robust approach to protecting data from root users is through the use of hardware solutions.
See the crypto implementation http://source.android.com/devices/tech/encryption/android_crypto_implementation.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PsychotextAuthor Commented:
This is a great repository of information. Really helped with some best in practice solutions for other issues I may have in the future or have been wondering around in passing, thanks a lot.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Android

From novice to tech pro — start learning today.