Solved

Android Encrypt JSON String and Credentials

Posted on 2014-11-11
3
812 Views
Last Modified: 2014-11-13
Hey, I'm currently looking into potential solutions for obfuscating or encrypting any JSON data and Credentials that would be required to go with the JSON connection string.

For example I have
String strExtraInfo = "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&key=" + VT_DatabaseHelper.strJSONKey;
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);

JSONObject jsonUpdates;

jsonUpdates = VT_JSON.getJSONfromURL("http://*****.co.uk/json/json_data.ashx?" + strTable + "data=1" + strExtraInfo);

Open in new window


When then has the credentials added and then sent,  HTTPS is one solution, but our main concern is that the device could be hooked up to an external debugging program and the data extracted that way, also along with being able to decompile the application it makes even more holes for people to be able to attack or inject data directly through the given JSON strings.

We currently use Eclipse's handy Proguard feature to obfuscate as much of the program classes and data that we can, but we're still worried that it could be intercepted if a person was to try hard enough.

Any examples or techniques that could be used to make this more secure would be greatly appreciated.
0
Comment
Question by:Psychotext
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40436682
indeed security through obscurity is not good enough though it deter against persistent attempt, obfuscator is not perfect as a whole. You can catch this article on the different technique and it seems like the more resistance one is the Bangcle appProtect service that only decrypt in memory and has anti-debugging capability

but most of the time using the packer or similar tools may also trigger false alert if the Android security software so better to test in the eventually target device with the apps.

also you may want to catch Shield4J  which is Java based and does the securing functions too. But we have to be wary to avoid having hardcoded password or secret in the codes. Minimally it can be shared out of band or through other means instead.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 40437248
Through that article you posted (It was a very interesting read) I came across and followed DexGuard, which massively appeals to I require since it's from the same developer as Proguard and holds all the features I need. My concern with this is that unlike the other two you linked they do not have a 'trial' version to test out for certain features.

What I'm worried about is that I also currently used Bugsense/Splunk for error reporting and debug information sent from the tablet, I know that Proguard allows for this to have the mapping.txt uploaded to allow the functionality to remain, but I don't seem to be able to find any information on the DexGuard website stating whether or not they do it.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40437591
A decompiler can still decompile the obfuscated codes which is what Proguard is doing but DexGuard has more measures indeed. I believe both DexGuard and Proguard have the retrace.bat which works for each uniquely. I saw in forum that it suggested to use DexGuard's retrace tool instead e.g. java -jar /var/DexGuard/lib/retrace.jar -verbose mapping.txt trace.txt
It should still be viable since it is backward compatible to Proguard, but have not heard any thorough test out though. May be still worth exploring with the Dexguard support. http://www.saikoa.com/contact
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Here, we have shared an easy step by step tutorial on how to download instagram images and videos on PC, Android Mobile and iOS mobile.
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question