Solved

Android Encryption Credentials

Posted on 2014-10-12
2
222 Views
Last Modified: 2014-11-04
Hey,

I have some credentials on the tablet side for Android Development and I was looking for the best practices for being able to decrypt/encrypt them during run time so that any debugging of the application would prove futile once the application had been built.

Thanks for any time taken with this query.
0
Comment
Question by:Psychotext
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Good to check out below on best practices

the securecoding in CERT org (https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535), e.g. the DRD10-J. Do not release apps that are debuggable

the Android developer community
We also want to make sure the device is not rooted as his can inadvertently  allow an owner to gain root access for purposes of debugging applications and system components or to access features not presented to applications by Android APIs.http://source.android.com/devices/tech/security/#the-android-permission-model-accessing-protected-apis
On some devices, a person with physical control of a device and a USB cable is able to install a new operating system that provides root privileges to the user. To protect any existing user data from compromise the bootloader unlock mechanism requires that the bootloader erase any existing user data as part of the unlock step. Root access gained via exploiting a kernel bug or security hole can bypass this protection.

Encrypting data with a key stored on-device does not protect the application data from root users. Applications can add a layer of data protection using encryption with a key stored off-device, such as on a server or a user password. This approach can provide temporary protection while the key is not present, but at some point the key must be provided to the application and it then becomes accessible to root users.

A more robust approach to protecting data from root users is through the use of hardware solutions.
See the crypto implementation http://source.android.com/devices/tech/encryption/android_crypto_implementation.html
0
 
LVL 2

Author Closing Comment

by:Psychotext
Comment Utility
This is a great repository of information. Really helped with some best in practice solutions for other issues I may have in the future or have been wondering around in passing, thanks a lot.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Displaying an arrayList in a listView using the default adapter is rarely the best solution. To get full control of your display data, and to be able to refresh it after editing, requires the use of a custom adapter.
If your app took Google’s lash recently, here are the 5 most likely reasons.
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now