Solved

Android Encrypt JSON String and Credentials

Posted on 2014-11-11
3
844 Views
Last Modified: 2014-11-13
Hey, I'm currently looking into potential solutions for obfuscating or encrypting any JSON data and Credentials that would be required to go with the JSON connection string.

For example I have
String strExtraInfo = "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&key=" + VT_DatabaseHelper.strJSONKey;
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);

JSONObject jsonUpdates;

jsonUpdates = VT_JSON.getJSONfromURL("http://*****.co.uk/json/json_data.ashx?" + strTable + "data=1" + strExtraInfo);

Open in new window


When then has the credentials added and then sent,  HTTPS is one solution, but our main concern is that the device could be hooked up to an external debugging program and the data extracted that way, also along with being able to decompile the application it makes even more holes for people to be able to attack or inject data directly through the given JSON strings.

We currently use Eclipse's handy Proguard feature to obfuscate as much of the program classes and data that we can, but we're still worried that it could be intercepted if a person was to try hard enough.

Any examples or techniques that could be used to make this more secure would be greatly appreciated.
0
Comment
Question by:Psychotext
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40436682
indeed security through obscurity is not good enough though it deter against persistent attempt, obfuscator is not perfect as a whole. You can catch this article on the different technique and it seems like the more resistance one is the Bangcle appProtect service that only decrypt in memory and has anti-debugging capability

but most of the time using the packer or similar tools may also trigger false alert if the Android security software so better to test in the eventually target device with the apps.

also you may want to catch Shield4J  which is Java based and does the securing functions too. But we have to be wary to avoid having hardcoded password or secret in the codes. Minimally it can be shared out of band or through other means instead.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 40437248
Through that article you posted (It was a very interesting read) I came across and followed DexGuard, which massively appeals to I require since it's from the same developer as Proguard and holds all the features I need. My concern with this is that unlike the other two you linked they do not have a 'trial' version to test out for certain features.

What I'm worried about is that I also currently used Bugsense/Splunk for error reporting and debug information sent from the tablet, I know that Proguard allows for this to have the mapping.txt uploaded to allow the functionality to remain, but I don't seem to be able to find any information on the DexGuard website stating whether or not they do it.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40437591
A decompiler can still decompile the obfuscated codes which is what Proguard is doing but DexGuard has more measures indeed. I believe both DexGuard and Proguard have the retrace.bat which works for each uniquely. I saw in forum that it suggested to use DexGuard's retrace tool instead e.g. java -jar /var/DexGuard/lib/retrace.jar -verbose mapping.txt trace.txt
It should still be viable since it is backward compatible to Proguard, but have not heard any thorough test out though. May be still worth exploring with the Dexguard support. http://www.saikoa.com/contact
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Android tablet will not connect to internet. 4 33
airdroid android app 5 40
texting service for android tablet 3 33
Building a mobile voice application 8 72
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question