Currently I encrypt sensitive data and use GET method (httpjob.download2()) to send data to the server over HTTPS. I'm replacing GET methods with POST (J.PostString(url , data )) due to GET's max data length limitation and its being insecure.
Since HTTPS provides end-to-end encryption already, if I continue to use B4XEncryption to encrypt data being sent, that would result in double encryption. Is that necessary?
It depends on how you define necessary. The data is encrypted with https.
A determinate hacker will be able to decrypt the data in both cases.
- https communication can be encrypted by installing a new root certificate.
- the local encryption means that you hide the password somewhere in your app code and this can also be hacked.
I always encrypt (AES256) the payload, too because you never know... Some providers may be forced to share the keys/data with governments or they get hacked. So an additional E2E encryption (like a VPN) is always a good thing. Sign the data (RSA), too. See my examples here as B4xEncryption is not compatible to e.g. php, .net. Use Agraham's Encryption lib.
Yes, it is necessary. you just make it harder to the hacker work to succeeded in decrypt.
HTTPS only is not complete encryption, man in the middle can bypass HTTPS easily.