Yes this is a pretty general question but I'm trying to get a feel for the best way to handle an app that touches base w/ a webserver that distributes sensitive data to the app. Any links, general information advice etc.. would be appreciated.
Since the app would store persistant data retreived from the database for a certain amount of time.. everything becomes somewhat touchy.
Use SSL on HTTPS to transfer data instead of HTTP you need to setup the certificates on the webserver not very sure how it works..
If you are really concerned about the data then further encrypt it with a unique algorithm before sending and decrypt it when it reaches the app. I guess that's all about it.. Unless you need something really strong then develop your own protocol based on TCP and/or use another port.. maybe that'll help
http://en.wikipedia.org/wiki/Secure_Sockets_Layer http://developer.android.com/reference/javax/net/ssl/package-summary.html http://blog.synyx.de/2010/06/android-and-self-signed-ssl-certificates/
As for storing data in the app what you can encrypt the data before storing or you can use another format other than SQLite for better security as you can view sqlite databases using the browser pretty easily.
Unless the phone is rooted there should not be a way to extract the data from it.
Storing sensitive data on the device
That depends very much on your audience. Normally, the Android OS prohibits apps from accessing each other's files (i.e. databases, preference files, regular files stored in the app's private directory) through proven Linux file permissions. However, on rooted devices an application can obtain root access and read everything. A few things to think about:
To conclude, if your information is not super-duper sensitive (e.g. credit card information), I'd suggest just sticking with the default security provided by Android (i.e. save everything in plain text, knowing other apps can't access it).
Otherwise, encryption is the way to go. It's not 100% secure (a hacker could de-compile your app and figure out how to decrypt the data), but it's a major pain to crack and will stop most hackers. Especially if you obfuscate your code with something like ProGuard.
Transferring sensitive data from the server to the device
You have a few options here. First of all, always use HTTPS. After enabling HTTPS, here are two extra security measures I would propose:
time=1321802432&key=[generated-key]
where
generated-key
is generated from thetime
parameter. For example:md5(time + salt)
. When the server receives this request, it can do two things:key
is indeed equal tomd5(time + salt)
(note that only the client and the server know the salt and it can be obfuscated similarly to the API key above), andtime
is not too far back in the past (e.g. if it's more than 1-2 minutes in the past, consider the request invalid).The second method is more useful if you are also doing plain HTTP requests, where everyone can see the parameters being sent. Also, it's much harder to figure out from decompiled code. Especially if you spread the key calculation logic across multiple classes.
However, note that nothing makes it impossible to crack your app. You can obfuscate as much as you want, if a hacker is really determined to get to your data, he will be able to so by decompiling your application and spending many sleepless nights passing through your code and figuring out how the requests are formed. The only real way of securing your data is by asking your user for a password, besides doing all the work I wrote about above. You can't get a password that only exists in someone's (the user) head from decompiled code :).
(Came here thanks to a Google search)
I've been researching this a lot lately and this page has come up a lot thanks to Google and Bing searches. The widely-accepted procedure for storing data on the device securely has been to use a strong encryption algorithm like AES. The harder question is "AES requires a secure key. What do you do with the key?"
Google recently announced a cloud-based storage solution for apps, so you could consider storing the key there if the situation allows. Otherwise, its seems that getting the key outside the device, like on a server, is better. If you can make the user punch in a PIN, that would actually work the best. You can do password derivation in order to store the password, and you can redo the derivation to verify the password
Without the "user punching in a PIN" part, I haven't found a lot of good answers to that question. However, DO NOT HARD-CODE THE KEY IF YOU MUST STORE ONE WITH THE APP. At the minimum, generate a key using a secure password generator and/or a derivation function like PBKDF2 (Password-based derivation function 2).
If I read the posts correctly, Google did say that one approach is to generate a key once the app starts the first time, store the key via the MODE_PRIVATE flag to a lot of file I/O operations, and use that as the key. You can also derive other keys based on that master key, and the NIST actually suggests something along that lines.
Whether or not to trust the master-key method, I'll leave to you. This key would get exposed on a rooted device. I'll also admit that I'm still researching the issue
Every application on Android runs in a secure sandbox environment, so other processes on the system cannot access your code or private data without proper handshake. But still there are many vulnerabilities are possible by poor design of the apps. This link from Android developers site advice you some of the good tips for security - https://developer.android.com/training/articles/security-tips.html
If you want to pretty much ensure the user cannot see the data other than by looking at your app then encryption is really the only way. Even the "protected" storage is accessible to the user if a device is rooted. Even encryption is not totally secure as you need to decrypt the data at some point in order to display it. You will dissuade the casual browser but not the determined hacker.