Android Question To encrypt or not encrypt POST data over HTTPS

toby

Well-Known Member
Licensed User
Longtime User
Currently I encrypt sensitive data and use GET method (httpjob.download2()) to send data to the server over HTTPS. I'm replacing GET methods with POST (J.PostString(url , data )) due to GET's max data length limitation and its being insecure.

Since HTTPS provides end-to-end encryption already, if I continue to use B4XEncryption to encrypt data being sent, that would result in double encryption. Is that necessary?
 

Erel

B4X founder
Staff member
Licensed User
Longtime User
It depends on how you define necessary. The data is encrypted with https.
A determinate hacker will be able to decrypt the data in both cases.

- https communication can be encrypted by installing a new root certificate.
- the local encryption means that you hide the password somewhere in your app code and this can also be hacked.
 
Upvote 0

KMatle

Expert
Licensed User
Longtime User
I always encrypt (AES256) the payload, too because you never know... Some providers may be forced to share the keys/data with governments or they get hacked. So an additional E2E encryption (like a VPN) is always a good thing. Sign the data (RSA), too. See my examples here as B4xEncryption is not compatible to e.g. php, .net. Use Agraham's Encryption lib.
 
Upvote 0

Hamied Abou Hulaikah

Well-Known Member
Licensed User
Longtime User
if I continue to use B4XEncryption to encrypt data being sent, that would result in double encryption. Is that necessary?
Yes, it is necessary. you just make it harder to the hacker work to succeeded in decrypt.
HTTPS only is not complete encryption, man in the middle can bypass HTTPS easily.
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…