0

I want to provide security features in an application communicating via open wifi's by implementing application level encryption. The wifi may be used by other users, or application, but the data transmitted or received for that particular application should be encrypted. How do I achieve this? Are there any specific libraries in Android I can use to achieve this?

Shan
  • 4,496
  • 10
  • 40
  • 57
  • Use an encryption library. Since you obviously aren't a crypto expert (few of us are, I'm not one of them) you do not want to write your own- there are very sophisticated attacks that are based on implementations and not just the algorithm. I don't think any are built into Android, but plenty of libraries exist for java. I'd suggest looking at AES as an algorithm- its generally considered safe for a few more years. – Gabe Sechan Jul 05 '13 at 21:39

2 Answers2

2

In general, you can use SSL/TLS (for stream-based communications) and DTLS (UDP-based variant of TLS) to secure your communication and avoid reinventing the wheel. Contrary to the popular belief, TLS does not require X.509 certificates -- TLS supports many authentication mechanisms including OpenPGP, shared keys and more. Not many libraries support those mechanisms though (our SecureBlackbox does).

Encrypting the data on-the-go without TLS is also possible, of course, but again it's a good idea to avoid implementing your own. In this case OpenPGP encryption would be very handy - it supports password-based as well as key-based encryption.

Eugene Mayevski 'Callback
  • 43,492
  • 7
  • 62
  • 119
  • Then again, TLS using X.509 certificates seems to cover most of the needs. Even shared keys can easily be replaced by two self signed certificates. And PGP mainly differs by it's key management, not the type of cryptography deployed. – Maarten Bodewes Jul 06 '13 at 22:44
  • 1
    @owlstead it's all about key management, yes, but shared password is definitely easier to maintain and replace than a pair of certificates. – Eugene Mayevski 'Callback Jul 08 '13 at 07:16
  • Yeah, I guess it is a trade-off between easier key management and interoperability. And there may be a lack of platform specific examples for TLS functionality that is not used that often... – Maarten Bodewes Jul 08 '13 at 10:13
0

if you want to protect the communication between android and your backend-service you can use soap or rest webservices via https.

Community
  • 1
  • 1
k3b
  • 13,724
  • 6
  • 47
  • 81