All geek questions in one place

Android device / account ID for seed encryption

These may be loaded questions that were asked in several forms before, but I did not see this being asked exactly like that, and I would like some opinions on how to proceed.

I am developing an application that requires the storage of credentials of third-party web services on the device. I want these credentials to be encrypted, but I also don't want to store the seed in code / on the device to prevent a possible capture. The application also supports backup using the Google Cloud backup features, which additionally requires encryption.

My thought was that if I could find a unique identifier that could be used as a seed. There are several odd claims making this difficult.

  • The ID MUST be unique AND the same for the given equipment / user combination under any circumstances.
  • It cannot just be attached to a device or user, it must be a combination of both.
  • It must be available NO MATTER WHAT; Bluetooth Wi-Fi and MAC addresses are out of the question since they are not available on some devices when they are turned off.
  • From what I read, TelephonyManager identifiers (SIM, etc.) are not available on all devices.
  • From what I read, ANDROID_ID will not be present under any circumstances.
  • The application will be released in several markets (e.g. Amazon Appstore), so a Google account will not necessarily be present.
  • Performing a factory cleanup should not affect everything that is used to create this identifier (in this way, the user can back up, erase and restore without interruption).
  • Performing an OTA update should NOT affect everything that is used to create this identifier (see reason above).
  • This is normal if they should be re-authenticated after removal / reinstallation.

I understand that this value can obviously be obtained by other applications, so I intend to hash it, an additionally seeded application UID, as well as <your suggestion here>.

If someone believes that the requirements are unrealistic, I would also like to hear that.

Especially in the light of recent hacker marathons, I want to be able to at least say: "If someone can compromise, nothing on your phone will be safe."

+6
source share
1 answer

Your requirements are reasonable for security, however, as you seem to suspect, they are unrealistic. There are too many differences in the levels of support for Android devices to make them realistic.

0
source

Source: https://habr.com/ru/post/891311/

More articles:


All Articles