I have a signed APK. What I want to do is, access the private key and sign (encrypt) some message using it. Is it possible to access this private key through my code in run time? Any sample code to do the same?
Asked
Active
Viewed 670 times
-1
-
It is no good advice to use your playstore keys in your app! Everyone then could sign other apps with your key and place them in the store;) Create a new keypair and use this in your app for encryption. Best pratice is to create a new key inside of your app, so every installtion has its own. More secure is to ask the user for a password to secure the keystore you produce. – Rene M. Apr 22 '15 at 08:14
1 Answers
1
Never, ever place you Keyring for signing playstore apks in your app. Because everyone can extract the keyring from your app and use it.
Best practice is to create a new keypair inside of your app on first start. So every installation of your app has its own keypair. Otherwise your users could encrypt data from other installations, too.
More secure is it, to ask the user for password. Which you can then use to secure the keystore for the newly generated keypair. This way also a stolen keystore of your app is harder to crack, because it has a password which only your user knows.
Very complex scenarios uses a key exchange system, where your user keys are generated and managed by a server application. Transport can be done with AES encryption etc.
Here is good presentation about basic cryptography on android from a good fried al sutton ;) http://de.slideshare.net/AlSutton/2014-droidcon-nlandroidcryptography?ref=https://www.linkedin.com/in/alsutton
Rene M.
- 2,469
- 11
- 23
-
Thanks @rmertins. Pt#4 would be ideal, but in our case, many a times the app is not connected to the server so we are unable to do key exchange. So we are only left with option 2/3. But again I think this is not fool proof and could be hacked. But ofcourse in the given scenario, this might be the best option. Is it not possible to use the public key of my signed APK to encrypt and store the data on device; and when required use the private key to decrypt it? I guess no, right? Also, why would I need a key pair then, I could simply store a symmetric key and use the same with enc/dec? – Shivv Apr 22 '15 at 09:15
-
1. Yes you could use the keypair of the apk to do RSA encryption, but as I sad it's a bad idea to spread you key in the world. 2. For sure you can use AES encryption with shared key, which is much simpler. – Rene M. Apr 22 '15 at 09:20
-
Can you please elaborate what you mean by "it's a bad idea to spread you key in the world"? All I am doing is using the private key via my code to decrypt the data (encrypted via my public key). How do I access this private key in my code to decrypt this data? – Shivv Apr 22 '15 at 09:27
-
To access your apks keypair you have to distribute it with your app as an asset. Which ends up that you give every user that installs your app a copy of your keypair. Also when using al the time the same keypair, data can be encrypted and decrypted by any installation, so user A could decrypt data from user B. The best security is reached by using as many keys and as randomly generated passphrases as possible to make it harder to atack the data. Its harder to atack several keys then one. – Rene M. Apr 22 '15 at 09:31
-
I changed my post added a link to a very good presentation about cryptography on android. – Rene M. Apr 22 '15 at 09:31
-
Yeah thanks. It was a useful presentation. If I use some randomly generated passphrase, then again the issue comes where to store? Ultimately the whole point is around key management and how to secure the keys. – Shivv Apr 22 '15 at 09:42
-
Tha is always the question when it comes to cryptography. You have to balance the security against the impact on the user. Think about that you user wants everything as simple as possible and don't like to remember password. So that is your task ;) Dont forget to give me upvote and solution check ;) – Rene M. Apr 22 '15 at 09:44