All geek questions in one place

Encryption

I am in the process of creating an application that will send and receive data from the server. Simple enough. In the case of disconnected communication, I also started programming the data storage functionality until the connection was reached. This data will be stored locally in the SQLite database.

The data (and not the table) is encrypted, and I will store the individual user salt / IV server side.

This is the essence of my problem. If the user does not have the ability to connect, he / she cannot connect to my server to get their salt / IV, and if I store their individual keys somewhere on the device, then it's simple enough for someone to peek!

Is there a general practice that I could use to ensure data security? It’s hard for me to believe that there is no way to safely store data without connecting to the Internet, but again, I am relatively not familiar with all this server communications business.

+4
source share
1 answer

Just play the devil’s lawyer: who will say that the server is not compromised and delivers the secret key / salt / IV from the attacker? This can be done using a hacked access point, for example, or using some Android malware that redirect host names to different IP addresses that replace your server.

Don't worry about these potential issues. You are not responsible for maintaining the integrity of your users' devices. If I were you, I would just save the encryption key / credentials on the user device in the internal / private application store.

If the user has a root or compromised system, you should not blame, and I think the user is much more worried.

In addition, you need to ask yourself a question if your application, in particular, is worth it for an attacker to study, address and use.

+1
source

Source: https://habr.com/ru/post/1492164/

More articles:


All Articles