Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

Android Encryption Credentials

Hey,

I have some credentials on the tablet side for Android Development and I was looking for the best practices for being able to decrypt/encrypt them during run time so that any debugging of the application would prove futile once the application had been built.

Thanks for any time taken with this query.
0
Psychotext
Asked:
Psychotext
1 Solution
 
btanExec ConsultantCommented:
Good to check out below on best practices

the securecoding in CERT org (https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535), e.g. the DRD10-J. Do not release apps that are debuggable

the Android developer community
We also want to make sure the device is not rooted as his can inadvertently  allow an owner to gain root access for purposes of debugging applications and system components or to access features not presented to applications by Android APIs.http://source.android.com/devices/tech/security/#the-android-permission-model-accessing-protected-apis
On some devices, a person with physical control of a device and a USB cable is able to install a new operating system that provides root privileges to the user. To protect any existing user data from compromise the bootloader unlock mechanism requires that the bootloader erase any existing user data as part of the unlock step. Root access gained via exploiting a kernel bug or security hole can bypass this protection.

Encrypting data with a key stored on-device does not protect the application data from root users. Applications can add a layer of data protection using encryption with a key stored off-device, such as on a server or a user password. This approach can provide temporary protection while the key is not present, but at some point the key must be provided to the application and it then becomes accessible to root users.

A more robust approach to protecting data from root users is through the use of hardware solutions.
See the crypto implementation http://source.android.com/devices/tech/encryption/android_crypto_implementation.html
0
 
PsychotextAuthor Commented:
This is a great repository of information. Really helped with some best in practice solutions for other issues I may have in the future or have been wondering around in passing, thanks a lot.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now