Android Question Encryption?

[jnjft]

Hello, I have a question about the data security of my apps.

A simple example:
Say, I've made me an app that stores personal information about all of my (real life) friends, like their names, addresses, phone numbers etc. and lets me easily contact them. Of course there are lots of apps that can probably do this better than mine, but it's only an example (and maybe I don't trust those apps...)
The database and everything else is stored in the internal directory so it cannot be seen by the outside world, right?
But what if I lose my device or it gets stolen?
Anyone could just start my app and get all of my friends' data.
So I decide to protect my app with a password. Since I'm planning to offer my wonderful app on the playstore I'll have to provide a possibility for every user to set his own password.
Where do I save this password?
I save it in the internal directory so it cannot be seen by the outside world.
Still, anyone who finds or steels the device could easily root it and get access to all the files and read out the password file.
So I'll have to encrypt the password file (and the database as well) with the B4XEncryption library (thanks for providing it in the IDE!).
Where do I store the password for the decryption of the password file?
I can only think of hardcoding it into the sourcecode, so it is then enclosed in the apk-file.
But what if someone could somehow disassemble the apk-file? Is this possible? And if it is, how big is the effort to do so?
Does encryption make any sense, if it is useless in the end?
Am I getting things wrong?

 

[Ed Brown]

As a rule, I never save/store passwords. Instead, I create a hash of the password and save it somewhere. When the user enters their password I convert/hash it and then compare it to the saved hashed password.

I use this library to generate the hash from a password (https://www.b4x.com/android/forum/threads/base64-and-encryption-library.6839/)

By storing the hashed password you are reducing the risk of the password being stolen. As a guide, the higher the number of bits used to hash the password the better the security.

 

[eps]

On top of this search the forum for obfuscation

 

[udg]

Adding to what others already suggested to you: which is a better place to store the encryping/decrypting password?
In your users' brain!

Your app could prompt the user for his/her own pwd on start and use it to encrypt/decrypt data to/from the DB.
For a new installation the DB could be empty (if you attach it via Files and then copy it to a writable folder) or be built on the fly (if you provide the needed code).
Once the user enters some new info to be inserted in the DB, you encrypt it with the given pwd and save it in the DB. Same when you search for existing data.

This way, if the phone is lost/stolen what is recovered is an useless DB containing encrypted data. Obviously this doesn't apply if the phone is "taken" while the app is running or if the pwd is too short or too easy to guess.

For sensitive data (like medical records) it could be suggested the use of an NFC tag as the key to open up the app. I mean, the app will work only when it registers the presence of a specific nearby tag. Once the phone is held "too far" from the tag, the app will stop to properly work (eventually displaying a message like "where is my tag?" eheh).

 

[tigrot]

Adding to what others already suggested to you: which is a better place to store the encryping/decrypting password?
In your users' brain!

Yes, but this also the main cause of lost data! So you can find "wallet" and "vault" App's which in turn need a password, which you must remember. And where to store this password as well? Never ending story!

 

[jnjft]

Thanks to all for the replies!
I'll have a look at hashes and the obfuscation forum, and the idea with the NFC tag is cool.

 

[KMatle]

To hash my passwords I use the following sub.

Sub SHA256Hash (pw As String) As String
    Dim md As MessageDigest
    Dim ByteCon As ByteConverter
    Dim passwordhash() As Byte
  
    passwordhash = md.GetMessageDigest(pw.GetBytes("UTF8"),"SHA-256")
    Dim SHA256string As String
    SHA256string = ByteCon.HexFromBytes(passwordhash)
    SHA256string = SHA256string.ToLowerCase
    Return SHA256string
End Sub

Call:

HashedPW=SHA256Hash("MyPassword")

Libs needed:

ByteConverter
Encryption

 

[Knoppi]

LOL, I have just written in B4J this function:

Sub GetSha256 (pw As String) As String
    'Libs:
    'ByteConverter 1.10
    'Encryption    1.10    (from B4A, works with B4J)
    'https://www.b4x.com/android/forum/threads/base64-and-encryption-library.6839/#content
    Dim md As MessageDigest
    Dim ByteCon As ByteConverter
   
    Dim passwordhash() As Byte
    passwordhash = md.GetMessageDigest( pw.GetBytes("UTF8"), "SHA-256")

    Dim sha256string As String
    sha256string = ByteCon.HexFromBytes( passwordhash)

    Return sha256string
End Sub

 

[jnjft]

KMatle, thanks for the code - that helps me a lot!

On top of this search the forum for obfuscation

I found no forum for obfuscation actually, but I came upon the post of Erel regarding 'Release (obfuscated)':
https://www.b4x.com/android/forum/threads/code-obfuscation.13773/#content
Thanks for the hint!

 

[KMatle]

LOL, I have just written in B4J this function:

I just copied it from somewhere in the deep space of the forum

 

[victormedranop]

I use this.
https://www.b4x.com/android/forum/threads/encrypt-decrypt.83810/

 

[eps]

KMatle, thanks for the code - that helps me a lot!


I found no forum for obfuscation actually, but I came upon the post of Erel regarding 'Release (obfuscated)':
https://www.b4x.com/android/forum/threads/code-obfuscation.13773/#content
Thanks for the hint!

That's the thread - sorry I just meant search for obfuscation - using the search box at the top. The thread you've mentioned comes at the top of the list

 

[Informatix]

KMatle, thanks for the code - that helps me a lot!


I found no forum for obfuscation actually, but I came upon the post of Erel regarding 'Release (obfuscated)':
https://www.b4x.com/android/forum/threads/code-obfuscation.13773/#content
Thanks for the hint!

The main purpose of obfuscation is to make the code difficult to understand, not to protect data. It is the weakest level of protection available.
As suggested above, the best protection is to store the password in the user's mind, not on the device, but if the app is used very often, typing the password each time can quickly become irritating. And if you store the password in the app, a hacker will find a way to reveal it sooner or later (if your app is not protected against changes, he will add a few lines to read in plain text the result of the code handling the password).
If you're interested in serious protection, there's ProBundle, a set of libraries and two PDF guides explaining how to protect Android apps. It contains a robust solution for the typical problem of passwords.