How to securely store AES key and iv in android?
Question
I have an android app which is receiving data from a php page using HTTP get/post request. I'm encrypting the data at server side and decrypting in android. I'm using AES 128bit Encryption, I have hardcoded the strings key and iv in the android side. If anyone reverse engineers my apk, they can get the key and iv easily. Is there any way I can store these 2 strings securely in the apk. Please help
2 answers
solution1
4 2017-09-24 17:10:00
You can use Android Keystore Keystore provider feature that was introduced in Android 4.3 (API level 18).
The Android Keystore system lets you store private keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the private key material remaining non-exportable. https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore
solution2
2 ACCPTED 2017-09-24 23:04:13
No, that would be akin to solving the DRM problem.
You can of course hide the key in plain sight, for instance using the answer of Alireza but it's impossible to secure the key without controlling the devices it is stored in.
You can of course implement your own transport mode security: that way you do not have to have a secret key in your APK (just a trusted public key or certificate).
However, the quick, easy and above all secure way is to use TLS. Especially when using forward secrecy (EDH_ or ECDHE_ ciphersuites) your data should be secure.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.