All geek questions in one place

How to hide the public key on Android?

The Android Security Guide says that you should not store the public key (used for the Android market) in the exact same way as a string, and it should be hidden / encoded in some way. Can someone please provide me an example of how this can be done?

(I do not have a separate server, so it cannot be saved there)

Upd. Believe me, this is a fairly common task associated not with Android, but with other applications.

+4
source share
3 answers

The relevant text from the page you're linked to is as follows:

Important: to protect your public key from malicious users and hackers, do not insert your public key in an entire literal string. Instead, build a string at runtime from fragments, or use a manipulation bit (such as XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want a hacker or an attacker to have a public key with a different key.

That is almost all you need to know. There is no harm to people knowing your public key, the potential harm here is that someone replaces the public key in your program on their own in order to reject purchases in the application to their account.

They assume that for this attacker it becomes more difficult for you to store the key in separate fragments or XORing with a key with a different line. Now, instead of just pasting your key over yours, they should figure out what kind of conversions you are doing with the string and make your own key suitable for this template. This works more and can deter occasional intruders, but will not prevent someone who is really determined.

+1
source

If you use the Keytool utility, all this is done for you. You will receive a .keystore file on your local computer containing the secret key (s) encrypted with a password; save this file and password, and you are protected.

http://developer.android.com/guide/publishing/app-signing.html

In fact, I believe that the Android plugin for Eclipse even does all this automatically for you.

0
source

In the key that opens, you can use it and save it as a hash value. It would be even better to salt the hash value with something that you would know when you need to return the hashed value. It could be something like a username or ESN. Look at android.telephony.TelephonyManager.getDeviceId ()

-3
source

Source: https://habr.com/ru/post/1347543/

More articles:


All Articles