Android Question What are the recommended ways of storing encryption keys

toby

toby

Well-Known Member
Licensed User
Longtime User
Google requires that all new apps need to encrypt user's personal data before transmitting to and storing in the remote database.

For the sake of security, how I should store the encryption keys somewhere inside the app, or somewhere outside the app and easily accessible by the app?

Earlier I was thinking about the SecuredAssets tool, still the app needs the password to decrypt.

I'm looking forward to some good advices

TIA.
 
Sort by date Sort by votes
toby

toby

Well-Known Member
Licensed User
Longtime User
What I'm trying to achieve is that when the app is decompiled, make it harder, if not impossible, for the key to be extracted.
 
Upvote 0
Jeffrey Cameron

Jeffrey Cameron

Well-Known Member
Licensed User
Longtime User
You are going to have to store some type of a key or password on the device at some point if you are going to be decrypting on the device itself. Unless you use the user's password (or their password hash) as part of your local key, then in that case the full password is not stored on the device (because they have to type it in each time).

The only 100% sure-fire method would be to have the server-end do all the encrypting then no keys are on the remote client.
 
Upvote 0
toby

toby

Well-Known Member
Licensed User
Longtime User
Jeffrey Cameron said:
you use the user's password (or their password hash) as part of your local key, then in that case the full password is not stored on the device (because they have to type it in each time).

The only 100% sure-fire method would be to have the server-end do all the encrypting then no keys are on the remote client.
Click to expand...
Using user password is a good idea; it's too bad that users don't enter any password in my app.

Google requires that user data need to be encrypted on the client side before sending over to the server, therefore server-end encryption alone wouldn't work.
 
Upvote 0
A

Alex_197

Well-Known Member
Licensed User
Longtime User
Jeffrey Cameron said:
You are going to have to store some type of a key or password on the device at some point if you are going to be decrypting on the device itself. Unless you use the user's password (or their password hash) as part of your local key, then in that case the full password is not stored on the device (because they have to type it in each time).

The only 100% sure-fire method would be to have the server-end do all the encrypting then no keys are on the remote client.
Click to expand...
what if you need to send the data from the app in encrypted mode? For example - UserID which is a Primary key in users table in the database? Or a device id? So you need to encrypt it forst on the device before send it back to the server.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

Erel
  • Locked
  • Article
B4A Library [B4X] KVS - KeyValueStore library
2 3
Replies
44
Views
27K
Erel
Erel
Peter Simpson
  • Article
B4A Library AES Encrypt/Decrypt (Encryption/Decryption) B4A and B4J library
Replies
13
Views
10K
hayk
hayk
Erel
  • Locked
  • Article
B4J Library [B4X] KVS2 / KeyValueStore 2 - Simple & Powerful Local Datastore
2 3 4
Replies
74
Views
58K
Erel
Erel
Erel
  • Article
Android Tutorial [B4X] CloudKVS - synchronized key / value store
7 8 9
Replies
172
Views
67K
Erel
Erel
Erel
  • Locked
  • Article
Android Tutorial KeyValueStore class - Simple and efficient key/value data store
6 7 8
Replies
142
Views
83K
Erel
Erel
Top