Ask / Submit
4

app development - how can i encrypt a key [answered]

asked 2017-03-06 16:49:21 +0300

pawel gravatar image

updated 2017-03-06 16:49:47 +0300

Hi there, i am writing on a small native app and i have the need to 'protect' a key. the code that is using this key to communicate with an json service is in javascript, so currently pretty plain on the device and of course also would be in github. i could write a c++ class and upload the dll to github, but again as the dll and corresponding javascript would be both on github, it is pretty the same result. any suggestions ?

Thanks a lot !

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by pawel
close date 2017-03-07 07:33:35.123165

Comments

I'm having the same issue so I'm also interested in this one :)

Dylan Van Assche ( 2017-03-06 17:11:16 +0300 )edit
1

I've asked myself the same question. It would be cool if there was a Silica module that provides a secure safe for sensitive data. Similar to the Configuration Plugin. This would also suit the security focused strategy of Jolla.

scharelc ( 2017-03-06 17:45:28 +0300 )edit

2 Answers

Sort by » oldest newest most voted
2

answered 2017-03-06 17:29:18 +0300

juiceme gravatar image

I don't think there is really a good answer to that dilemma. The problem is that if you need the key at runtime you just need to decipher in the device it at some point time, and this is when it becomes vulnerable. There is no way you can protect it so that it is unhackable.

If you are the owner of the service end too, I'd suggest you change over to a different authentication scheme. If not, for example if the key is something like the google maps API key, then you are out of luck.

One way to get around would be to set up your middleware service in the net yourself, for example in AWS or whatever high bandwidth platform. The you can set up an encrypted & authenticated connection to that service which forwards the requests to the final destination service.

edit flag offensive delete publish link more

Comments

2

yup, it's like the google maps key.

and yes my only idea was to have my own hosting for it, but that's nothing i really want to do.

pawel ( 2017-03-06 17:50:26 +0300 )edit

There is really no alternative; the only way perhaps is to make it easily configurable in the application and then instruct each user to create their own key.

juiceme ( 2017-03-06 18:11:07 +0300 )edit
1

thing is: you have to apply for the key in order to use the api. i have waited for 3 weeks ;-)

they will not give the key to everybody. however the data / service is not exactly secret. they even allow the usage of http !

still as the key is linked to developer adress, i do not want to leave it as is in github

pawel ( 2017-03-06 19:54:22 +0300 )edit
2

Your best bet is just keeping the key on the C++ side, perhaps behind some rot13 or xor or whatnot if you really don't want it to be plaintext, but bottom line is, if the evil user really wants to get your key, they will.

tadzik ( 2017-03-06 22:13:07 +0300 )edit
1

agreed. i wanted to put it in my db on install, but no idea how to do that, so i will put.it into some dll or similar

pawel ( 2017-03-07 07:31:43 +0300 )edit
1

answered 2017-03-06 17:19:10 +0300

coderus gravatar image

you need to provide password for encrypt/decrypt via external header overwriting default define if such file exists, and add this file to .gitignore, so you will have working sources on github with dummy test password, and different password can be used in production builds.

edit flag offensive delete publish link more

Comments

1

That is not secure in any way, it just adds a layer of obfuscation that is easy to override by anyone knowledgeable :)

juiceme ( 2017-03-06 18:12:40 +0300 )edit

how? if you can never know the password to decrypt.

coderus ( 2017-03-06 18:13:26 +0300 )edit
1

How does it get decrypted in the device of the user, then?

juiceme ( 2017-03-06 18:14:37 +0300 )edit

aes or use any encryption algo of your choice.

coderus ( 2017-03-06 18:15:47 +0300 )edit
1

No, I mean; If you encrypt the key osing whatever algorithm of your choice, and then distribute both the ciphertext and the key in your application, however hidden;

They are both still there in the device, to be hacked out by someone who really wants to do it.

Same goes on with more elaborate schemes; if you create an external service that you use to decrypt the encrypted API key in the device, someone still can intercept it with a debugger and obtain the API key.

There is no possibility you can do it, sorry.

juiceme ( 2017-03-06 19:01:05 +0300 )edit

Question tools

Follow
1 follower

Stats

Asked: 2017-03-06 16:49:21 +0300

Seen: 340 times

Last updated: Mar 06 '17