The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,117 other followers

Archive for the ‘Android’ Category

Android passwords: store as transient as possible using arrays in stead of strings

Posted by jpluimers on 2020/08/06

Sometimes you cannot avoid handling passwords in your application. When you do,

  • keep them around as short as possible
  • store them in data types that are not garbage collected
  • wipe the storage as soon as you are done

In practice, this usually comes down to storing them as arrays (character or byte arrays), not strings.

This holds for many other platforms outside Java as well: strings are usually managed in one way or the other, so they cannot be wiped

References:

For actual storage of passwords, you always have the risk of retrieval: when a “bad guy” gets physical access to a device, it is basically hosed.

A KeyStore can only do so much against it: if your APK can be downloaded, it can be reverse-engineered revealing the exact steps how the store is accessed, reproducing the steps needed to hack into the underlying protected data/functionality.

The keystore can be forgetful…

You’ve just moved in to a new house and have been given the master key for the front door. You only have one of these so you know you need to keep it safe. Your really paranoid so you hire an armed guard, whose sole job is to protect this key, in fact, this is all he has been trained to do and has a catchy slogan of “need to protect a key, its what I was born to do!”. You install an extra lock on your front door as you feel the bodyguard isn’t enough, this is a rough area anyway and who’s going to make sure no-ones about to break in and steal all your crap. You return to your key guard only to be informed he has thrown the key away. You shout and scream at him but he just blankly says “I don’t have it anymore, I didn’t think it was important”. You can’t contain your anger “What the hell, your a jerk! You had one thing to do and you failed, this causes me a lot of problems, why didn’t you tell me you might do this?! What do I do now?!”

[WayBack] Android Security: The Forgetful Keystore – SystemDotRun – Dorian Cussen’s Super Blog

–jeroen

Posted in Android, Development, Java, Java Platform, Mobile Development, Power User, Security, Software Development | Leave a Comment »

Best android apps for zabbix – AndroidMeta

Posted by jpluimers on 2020/05/28

If I land a project using Zabbix again, one of the things I need to look into is [WayBackBest android apps for zabbix – AndroidMeta.

–jeroen

Posted in *nix, Android, Android Devices, Development, Linux, Mobile Development, Monitoring, Power User, Zabbix | Leave a Comment »

SMS Backup+ – Apps on Google Play

Posted by jpluimers on 2020/03/04

Simple but cool app: [Archive.isSMS Backup+ – Apps on Google Play:

Automatically backup your SMS, MMS and call history with a separate label in Gmail and Google Calendar.

Later you can restore the saved data (except MMS) back to the phone, especially useful when switching to a new device.

IMAP access needs to be manually enabled in Gmail, see the website and FAQ for more information. You can of course use your own IMAP server for backups, giving you full control over your data.

SMS Backup+ is a free open-source project which has been in active development since the early days of Android, completely ad and tracking-free, supported through voluntary donations.

Sourcecode: [WayBack] GitHub – jberkel/sms-backup-plus: Backup Android SMS, MMS and call log to Gmail / Gcal / IMAP

Via: [WayBack] Wirre Telefongespräche für 500. Ich kriege ja nicht mehr oft Anrufe auf der deutschen Telefonnummer, und so liegt das Telefon jetzt daheim und hängt am… – Kristian Köhntopp – Google+

–jeroen

Posted in Android, Development, Mobile Development, Software Development | Leave a Comment »

Commander One review: A superior alternative to Android File Transfer on Mac

Posted by jpluimers on 2020/01/10

On my list of software to try: [WayBackCommander One review: A superior alternative to Android File Transfer on Mac

Via: [WayBack] Looks like a must-have for anyone using a Mac (with MacOS) and an Android phone. – Roderick Gadellaa – Google+

–jeroen

Posted in Android, Android Devices, Apple, Development, iMac, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MacMini, macOS 10.12 Sierra, macOS 10.13 High Sierra, Mobile Development, Software Development | Leave a Comment »

Some links on keystore, encryption and decryption on Android

Posted by jpluimers on 2019/02/06

For my link archive:

 

Basically:

  • storing encrypted data plus IV in preferences is OK
  • store the symmetric encryption key (for instance an AES one) in the keystore for the application
  • likely a salt is also needed, then store the salt with the IV and encrypted data

–jeroen

Presumptions:

  • The keystore of a specific application UUID is only accessible by only that application UUID when the device has been unlocked by the user
  • The keystore saves credentials in a secure way
  • It is OK to save both the encrypted data and associated IV

Approach (plain data is “hashed application PIN”, encrypted data is “encrypted hashed application PIN”:

  1. store a symmetric AES key in the application key store
  2. after entering application PIN:
    1. hash the application PIN
    2. use the hashed application PIN to to enter the application
    3. from the keystore, obtain the symmetric AES key
    4. create a cipher based on the AES key
    5. use the cipher to obtain an IV, and to encrypt the hashed application PIN
    6. store the encrypted hashed application PIN and IV both in the application preferences
  3. when needing to enter the application, present the user to either enter the application PIN again or proof that they can pass the device unlock sequence (using an unlock activity)
    1. if the user provided the application PIN, then:
      1. hash the application PIN
      2. try to enter the application with the hashed application PIN
    2. proved the device unlock, then:
      1. from the preferences, obtain the IV and encrypted hashed application PIN
      2. from the keystore, obtain the symmetric AES key
      3. create a cipher based on the AES key
      4. decrypt the encrypted hashed application PIN using the cipher and the IV into the hashed application PIN
      5. try to enter the application with the hashed application PIN

Posted in Android, Development, Mobile Development, Software Development | Leave a Comment »

 
%d bloggers like this: