Android Tutorial Userid/pw/Encryption: Best practice

I see a lot of code where user id's, passwords or other critical Information is stored inside the code. Problem here is that the code can be decompiled very easy and someone can extract the information or the logic of your app. Even if you put it to the assets folder does not work.

Another trap is to store config parameters in a normal textfile. This can be edited by any user.
For this reason you must encrypt all critical data you want to use. Good idea you might think but where do I store the password for that?

Inside the app isn't very clever as I mentioned before, but we have to take a look at our app and what we want to do/protect. Here are some typical situations and how to do it. Please feel free to comment own ideas to improve this post. Please don't post any questions like "how do I use httputils, encryption, php, MySql, etc.). See other examples/Posts for this.

Example 1: A simple app which doesn't communicate over the internet but you need to protect a config file or other data

- at the start check if your (encrypted) config/data file is already there (File.Exists...)
- if not you know that this is the first start
- ask for a password
- create a RAF file and store all data you want with RAF.WriteEncrypted & the given password
- at the next start you will find the file
- ask for the pw
- read the contents with RAF.ReadEncrypted

Benefits: Because the user has to give the pw at every start, it's safe. Of course someone could decrypt the file knowing his own pw but this doesn't make sense because he only sees his stored data or some configurations. The normal user has no chance to do this.

Example 2: An app which communicates over the internet (httputils -> php/MySql) OR you can upload a file to a webspace (folder)

- even better
- in your app ask for a userid and a pw
- create the RAF file (Example 1), name it like the userid /f.e. "peter.dat) and upload it to the server/webspace
- store the file in a folder (webspace) or in a MySql db (I never store Blobs/files there, only the index)
- delete the local file :)
- at the next start ask for the userid and pw
- get the file from the folder, MySql db, etc.
- store it local
- read the contents
- delete the file

Benefits: There is no chance to get the file unless you know the userid. Knowing it, you can donwload the file but you'll need the pw (which only the user knows). On the device someone can get the file when he's fast enough but he has to know the pw.

Pro version: Let php create the folder and a .httaccess file with the same user & pw (so the folder is protected). Even a download will not work then if you don't know the userid AND the pw

Example 3: Combinations with other encryption methods (RSA)

Why RSA? All B4x Versions can use it (lib) and the rest of the world (Servers, VS 201x, etc.) and handling the keys is very easy.

At the point when you transmit the userid & the pw to a webserver it is unsafe again. Someone with deeper skills could sniff the data stream an get the userid & pw. Therefore I use RSA to encrypt the meta data (=userid & pw).

RSA uses 2 keys: The public key which is indeed public (everyone may have it) and the private key (which is for your eyes only). In my examples you have 2 clients who want to communicate with: Your app and the server. Each of them then has an own pub and private key.

In this example I use only the App -> Server en-/decryption because you only want to protect your userid & pw while sending it to the server. Forget the RAF file -> we will handle it all on the server

How it works (with php):

- create a public key (with OpenSSL -> see my examples -> has to be done only ONE time)
- store it in a open folder on the server (it is public to anyone) or in a database (ONE time)
- in your app get the server's pub key via httputils
- put the data (userid, pw AND your data which was in the RAF file before) in a List with maps to a JSON-string
- encrypt data with the server's key (use encryption library and see my examples)
- send it to the server PHP-script
- decrypt it via OpenSSL
- store it in a file or better in a MySQL db
- at the next start of your app
- get the server's pub key again
- send an encrypted request (httputils) to the server again ("GetMyData") with your userid & pw
- decrypt it on the server
- get the data from the file or db
- send it to the app

Benefits: All the critical data is encrypted, even during the Transmission except the data/config.

Pro version: Encrypt/Decrypt both sides (app to server, server to app)

SqlLite (local db on your device) without any extension:

- as the db is just a file you could RAF encrypt it
- when you need it, just decrypt to the temp db-file
- closing the app. encrypt it again and delete the temp file

Problem: any skilled user can copy the temp file and Play with it

Q: Why do you use it "that way"?

A: Most likely you need to collect data and then sync/update the data with a server-db. This is a nice way to do that, but ... If you only collect data which will be void later by transfering it to another (remote) db, you could use a RAF file for that which is encrypted.

Q: But I need the data for a longer time and I need fast access to it

A: How much rows are we talking about? 20? 50? 100? Then just put them to a RAF file and load it into a list

Q: I have 100.000+ records in my db. I need a db!

A: Why do you have so many records on a phone/tablet? What do you do with the data (except creating a very personal Wikipedia)? Think about the concept of your app.

Q: I don't care - I want to have my 100K+ rows on my device!

A: Then do it, but - at least - encrypt the data itsself...

Notes:

- Base64 is NOT and encryption but a helper. It will convert your data to a format all clients can convert back and there's no loss of formats on the way. Use it as a standard in all of your Projects, even if you stay in the B4x world.

- don't use Services/libs where you have to give a user & pw in the code of your app.
 
Last edited:

wonder

Expert
Licensed User
Longtime User
Thank you so much for this information! :)
 

Informatix

Expert
Licensed User
Longtime User
Suppose that the purpose of the app is to save a few private data (passwords for forums or email accounts, ID of the bank account, etc.). The user enters these data and encrypts them with a password. A hacker will be able to retrieve this personal encrypted file if he gets access to the device in the first example (no other mean), while in the second example he can get it by cracking the server where the file is stored (which can be done from anywhere and offers much more possibilities if you're not an expert in server security). From a security point of view, I prefer the first example. And because no one will want to enter the login and password for every bit of information in the file, it is very likely that the downloaded file will stay on the device for some time (e.g. in a cache folder). So the second example does not look to me better than the first.
In the third example, the file is stored in decrypted form on the server. Why?
 

KMatle

Expert
Licensed User
Longtime User
#3: edited (indeed no file is stored -> typo)

My intentions was to get the developers think of the security of their apps and making it harder for others to get informations. Cracking a server or getting hands on someone's device is a always a bad thing. But at least you can a few Thing so it is hard to decrypt it. Please feel free to add other ways to do it.
 

Informatix

Expert
Licensed User
Longtime User
My intentions was to get the developers think of the security of their apps and making it harder for others to get informations. Cracking a server or getting hands on someone's device is a always a bad thing. But at least you can a few Thing so it is hard to decrypt it.
I completely agree with that. Anything is better than nothing and too many people do not feel concerned by security (99% of the apps on the Play Store are not protected at all according to a security expert). I try also to find good ways to protect an application and its data. I focused mainly on the protection of application data (the data embedded in the app) in my two guides about security as it is the hardest part. So your tutorial is a good complement for user data. If I find new ideas, I will post them. I know there are means to store safely some data on the device (in a much secure way than a RAF file that has security flaws, e.g. with the Keystore or KeyChain classes in Java). For now, I'm working on a secure class loader (it allows to load dynamically a class located in an encrypted file that may be on the device or on a remote server).
 

lomosami

Member
Licensed User
Longtime User
consider this scenario: A, B applications which communicates over the internet:

-A,B with the same password (like wpa2)
-save password in local with raf
-in every message write user name and password2 (one for each user to authenticate the user at the server, different from the password to encrypt/decrypt ) then the real data
-send data A to B and viceversa with AES encryption
-when B got the data from A decrypt all data verifying if user and password2 is the correct one

Can be a solution without using SSL / RSA connection?
 

Informatix

Expert
Licensed User
Longtime User
consider this scenario: A, B applications which communicates over the internet:

-A,B with the same password (like wpa2)
-save password in local with raf
-in every message write user name and password2 (one for each user to authenticate the user at the server, different from the password to encrypt/decrypt ) then the real data
-send data A to B and viceversa with AES encryption
-when B got the data from A decrypt all data verifying if user and password2 is the correct one

Can be a solution without using SSL / RSA connection?

There's no danger to send to a cloud service some data protected by AES without a secure protocol (btw when the storage is managed by someone else, data should be encrypted in all cases) but if the server has to decrypt the data to use them then your major security problem is the server protection against hacking. It's usually the weak link in the security chain. RSA, AES and other algorithms are useless if the server has opened doors. Just an example: my Hotmail account has been hacked and the south-american hackers did not break the password nor cracked my PC protection (too much work for a single email account) or intercepted anything; they entered the servers where the email data, obviously, were not encrypted by Microsoft (I forced Microsoft to give me the proof of this "soft" intrusion; it may be due to technicians having access to the servers). So think first to protect the two devices at each end of the network.
 
Top