stackoom
  简体   繁体   中英

Correct method of encrypting application data

 原文  2018-01-30 11:30:14       java/ android/ encryption/ password-encryption

Question

Just a quick question about the use of encryption for app data.

Say you have a mobile app, this app needs to store some potentially sensitive data. In this case, a list of corporate ip addresses that need to be kept hidden.

The obvious answer would be to encrypt with the hash of a user's password. However in this case, a user account is optional and so a password may not exist. What would be the next best method of encrypting the stores data?

My first guess and probably the least secure is a key built into the application, but issue here is risk of different attacks that could see that password recovered.

Next guess would be finding some sort of identifier of the device that can be used as a seed for a password generator. Again seems like a flawed method.

Last idea is to securely randomly generate the password and store it encrypted with one of the above methods.

Am I following the right train of thought or am I way off?

I have a decent understanding of cryptography algorithms but finding the right application has me scratching my head. Any help would be much appreciated.

Thank you

2 answers

solution1
 0 ACCPTED  2018-01-30 11:44:57

The point is: as long as your data only resides on the mobile device, in the end, you are limited. In that sense: if you need to store information in a secure and reliable way, then you should consider a "server side" solution.

If that isn't possible, the next best thing is to have your app ask the user for a distinct password - which is then used as key as outlined in your question. You definitely do not want a single generic key that works for all users/devices.

But of course - asking the user to type a special password each time he wants to use the app will not be a solution your users will like. So you will have to offer the user to store that password somehow - which again increases the range of potential attacks.

Long story short: without a "remote" service you simply have to balance "user experience" with "enough security". Depending on your user set, you have to determine what is more crucial to these people - security or convenience.

solution2
 -1  2018-01-30 11:38:25

Next guess would be finding some sort of identifier of the device that can be used as a seed for a password generator. Again seems like a flawed. --- ?

You can encrypt it with the hash of ANDROID_ID or UUID in place of password

What's your opinion on this?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypting sensitive application data in Java (Android) Encrypting data disallowing awarness of the method used in the source code encrypting old data in database Encrypting exchanged data in a RESTful Encrypting application properties in Spring Boot encrypting numbers in java using a method Correct way of Encrypting and Decrypting an Image using AES Encrypting sensitve data in Eclipse Plugin Which method is correct for data insertion into database How to correct by writing a good method of deleting data?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM