Android Question What are the recommended ways of storing encryption keys

toby

Well-Known Member
Licensed User
Longtime User
Google requires that all new apps need to encrypt user's personal data before transmitting to and storing in the remote database.

For the sake of security, how I should store the encryption keys somewhere inside the app, or somewhere outside the app and easily accessible by the app?

Earlier I was thinking about the SecuredAssets tool, still the app needs the password to decrypt.

I'm looking forward to some good advices

TIA.
 

toby

Well-Known Member
Licensed User
Longtime User
What I'm trying to achieve is that when the app is decompiled, make it harder, if not impossible, for the key to be extracted.
 
Upvote 0

Jeffrey Cameron

Well-Known Member
Licensed User
Longtime User
You are going to have to store some type of a key or password on the device at some point if you are going to be decrypting on the device itself. Unless you use the user's password (or their password hash) as part of your local key, then in that case the full password is not stored on the device (because they have to type it in each time).

The only 100% sure-fire method would be to have the server-end do all the encrypting then no keys are on the remote client.
 
Upvote 0

toby

Well-Known Member
Licensed User
Longtime User
you use the user's password (or their password hash) as part of your local key, then in that case the full password is not stored on the device (because they have to type it in each time).

The only 100% sure-fire method would be to have the server-end do all the encrypting then no keys are on the remote client.
Using user password is a good idea; it's too bad that users don't enter any password in my app.

Google requires that user data need to be encrypted on the client side before sending over to the server, therefore server-end encryption alone wouldn't work.
 
Upvote 0

Alex_197

Well-Known Member
Licensed User
Longtime User
You are going to have to store some type of a key or password on the device at some point if you are going to be decrypting on the device itself. Unless you use the user's password (or their password hash) as part of your local key, then in that case the full password is not stored on the device (because they have to type it in each time).

The only 100% sure-fire method would be to have the server-end do all the encrypting then no keys are on the remote client.
what if you need to send the data from the app in encrypted mode? For example - UserID which is a Primary key in users table in the database? Or a device id? So you need to encrypt it forst on the device before send it back to the server.
 
Upvote 0
Top