T
T
thewizardplusplus2016-09-02 10:34:32
Android
thewizardplusplus, 2016-09-02 10:34:32

How to securely store the password in an Android app when building it?

Yes, I know about KeyStore and AccountManager. But they only work in a case where passwords are obtained while the user is working. Then, having received them, you can safely save them there and not shine anywhere else.
At me the password is known at once, at development. He is alone and will not change. You need to somehow save it so that it is known only to the application at runtime, and it could not be found in the code.
More specifically, it is necessary for authorization in the Dropbox API. There is a pair of public and private keys. The public one is stored there generally in the manifest, but that's fine. But I would like to hide private from the code. (In offdocs, they simply declare a constant with it, without hiding it in any way.)
Just in case, I will explain why open storage of such a key is dangerous. If an attacker finds it, he can create a clone of my application that will access the data folders of all my users and do whatever they want with their files.
-----
Explanation!
For some reason, absolutely everyone misunderstood me. Therefore, I will explain how the work with the Dropbox API is arranged in general and in my application in particular (there is simply no other way to do it).
In the Dropbox developer's admin panel, a so-called Dropbox application is created. This Dropbox application contains no code, but is essentially an access account. And it is characterized by two keys - private and public.
When I want to embed Dropbox API access into an Android app, I must pretend to be the above Dropbox app. On the first call, I send both keys (public and private), and then standard OAuth 2 authentication begins.
At the same time, the user of my application will open either the official Dropbox Android application or the official Dropbox website, where he will first be asked to log in to his account (no passwords are sent to me, I don’t see this step at all), and after that the user will have to give allowing my Dropbox app to access my account.
Only after that my application will have access to the user's folder in his Dropbox. In this case, this access will be limited exclusively to the folder of this application., no other files and folders outside will be accessible to him.
This way my Android app gets individual access to its folder in each specific Dropbox account that has approved my Dropbox app.
There is no cross-ownership of files between accounts and cannot be! I don't understand where all this came from! O_O There is no such mode in Dropbox API at all!
Problem
Now I will describe a problem once again. Since my Dropbox app required for access is determined by a public/private key pair, anyone with those keys can impersonate my Dropbox app and access my users' files.
Yes, for this he will either have to install his own malware on users' phones, or create a website and lure users to it. However, it is possible and very easy to do.
That is why Dropbox writes that the private key should not be shown to anyone. That is why even on the page where it is written, the key is hidden, and in order to copy it, you need to press a separate button.
Question
So how do I store this private key inside my application? After all, it will be easily accessible through decompilation.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
I
Ivan, 2016-09-02
@LiguidCool

No way. This is the wrong approach in principle. If you wish, finding your key will not be a problem.
One dropbox for users? SERIOUSLY?! With read-write mode for everyone? Are you going to store the database there?

M
mitaichik, 2016-09-02
@mitaichik

One for all is a very, very bad idea! Look better in the direction of the Dropbox API (if they exist, I xs). Let everyone store their files in their account, and log in there on their own when installing the application.
Again, very bad idea! Even if you sew it invisibly into the KeyStore, there is a risk that they will still receive it: https://habrahabr.ru/post/169717/

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question