We are in the making of an Android app, a quiz game, which we would like to cache questions + answers for when the user is offline. The problem with this is that we would need to withhold this data from the user until she has answered the questions. Otherwise, cheating would be very easy, which would harm the game. One could then extract all questions + answers and automatically submit answers to the server API.
The most convenient way would be to retrieve a key or secret from our server at installation time, hide it "somewhere", and use it for communication with the server, and also for the encryption of questions + answers in storage. But obviously, hiding it "somewhere" is not a secure concept.
I have researched a bit, and it seems that reliable encryption is not possible in such cases, because the app has to "know" the secret (be it a certificate, passphrase + salt, or whatever) or at least where it can be found, and this can be extracted by decompilation. However, we would be fine with it being hard enough to do.
The question is: Do you know of a way to make it prohibitively hard for regular users to retrieve a secret from the APK - i.e., make it near-impossible to write an automated key-extractor?
My best guesses so far:
- Hide some information in the database and use it as salt for the key
- Add several bits of information from the device as salt (IMEI, email address, serial number,...) - perhaps together with obfuscation the way how the salt is applied might be hard to obtain?
You could use a separate key for each question, which depends on the answer to the previous question. So it's impossible to decrypt question 2 unless you've already answered question 1.