Solved

Android Encrypt JSON String and Credentials

Posted on 2014-11-11
3
769 Views
Last Modified: 2014-11-13
Hey, I'm currently looking into potential solutions for obfuscating or encrypting any JSON data and Credentials that would be required to go with the JSON connection string.

For example I have
String strExtraInfo = "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&key=" + VT_DatabaseHelper.strJSONKey;
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);

JSONObject jsonUpdates;

jsonUpdates = VT_JSON.getJSONfromURL("http://*****.co.uk/json/json_data.ashx?" + strTable + "data=1" + strExtraInfo);

Open in new window


When then has the credentials added and then sent,  HTTPS is one solution, but our main concern is that the device could be hooked up to an external debugging program and the data extracted that way, also along with being able to decompile the application it makes even more holes for people to be able to attack or inject data directly through the given JSON strings.

We currently use Eclipse's handy Proguard feature to obfuscate as much of the program classes and data that we can, but we're still worried that it could be intercepted if a person was to try hard enough.

Any examples or techniques that could be used to make this more secure would be greatly appreciated.
0
Comment
Question by:Psychotext
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40436682
indeed security through obscurity is not good enough though it deter against persistent attempt, obfuscator is not perfect as a whole. You can catch this article on the different technique and it seems like the more resistance one is the Bangcle appProtect service that only decrypt in memory and has anti-debugging capability

but most of the time using the packer or similar tools may also trigger false alert if the Android security software so better to test in the eventually target device with the apps.

also you may want to catch Shield4J  which is Java based and does the securing functions too. But we have to be wary to avoid having hardcoded password or secret in the codes. Minimally it can be shared out of band or through other means instead.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 40437248
Through that article you posted (It was a very interesting read) I came across and followed DexGuard, which massively appeals to I require since it's from the same developer as Proguard and holds all the features I need. My concern with this is that unlike the other two you linked they do not have a 'trial' version to test out for certain features.

What I'm worried about is that I also currently used Bugsense/Splunk for error reporting and debug information sent from the tablet, I know that Proguard allows for this to have the mapping.txt uploaded to allow the functionality to remain, but I don't seem to be able to find any information on the DexGuard website stating whether or not they do it.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40437591
A decompiler can still decompile the obfuscated codes which is what Proguard is doing but DexGuard has more measures indeed. I believe both DexGuard and Proguard have the retrace.bat which works for each uniquely. I saw in forum that it suggested to use DexGuard's retrace tool instead e.g. java -jar /var/DexGuard/lib/retrace.jar -verbose mapping.txt trace.txt
It should still be viable since it is backward compatible to Proguard, but have not heard any thorough test out though. May be still worth exploring with the Dexguard support. http://www.saikoa.com/contact
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now