We use AES encryption with static key and static vector.
Encryption and decryption of data made on Windows, MacOS and Android.
We know it is not secure to store the key in the app and we do not care about security, we just need to be able to support legacy data format, we need encryption not for security, but for back compatibility. We know we do not provide any data security and our customers know it too. Is where any way to force Play Store to ignore the error and publish our app without moving encryption and decryption functions to NDK?
Related
I have been doing a lot of research but I can't understand where I should save the encryption key in a production environment?
In local environment I have a .env file, but it feels very risky to have the encryption key written there in plain text in a production environment. I could encrypt it but then I just have another key to save somewhere.
I am not using AWS or any other big cloud platform, so I can't use AWS KMS etc.
I have looked into alternatives to AWS KMS, such as Doppler (doppler.com). You can store the key there, but to get the key with their API they use tokens to authenticate the requests, so then I have to store the token somewhere safe.. so it feels like I just running a rat race.
So I really need help here. Where should I store the encryption key? Where would you (and where can you) store it if you were not using any big cloud platform?
Right now I have my Server Key for Firebase messaging hardcoded in my code.
Is this a security problem for when I deploy my app?
Can I get this key programatically?
Yes it's a security issue,according to this official document at the bottom says.
Important: Do not include the server key anywhere in your client code. Also, make sure to use only server keys to authorize your app server. Android, iOS, and browser keys are rejected by FCM.
And I don't think "get this key programmatically" is good idea because you still downloaded key to the client,or using other way to store in the client.
There's no way to protect in a serious way the key in your apk. Getting the key would be quite easy, so you have a big security issue and your poor security design could have bad conseguences, see for example what GDPR says about privacy. Remove the key, change it if possible and implement a server to communicate with your clients and send push messages.
I'm working on a mobile app with React Native and Expo, providing security solutions. Project owner wants to store in app sensitive authorization keys, used to communicate with REST server and access secure data. He demands that these keys are at least encrypted, and hard to read from the outside, as much as possible.
I know about these topics:
Save sensitive data in React Native
Is React Native's Async Storage secure?
and about KeyChain, but they don't cover encryption and expo issues.
So what is the best and most common solution for making this data as safe as possible in React Native Expo app?
Expo now has SecureStore, which stores encrypted data.
Details: https://docs.expo.io/versions/latest/sdk/securestore
I am recently involved in a React Native project with security concerns like yours. Security is not an easy issue and I am not an expert, but this is what we did.
We used react-native-aes-encryption for encryption and hashing, react-native-rsa for generating public/private key pairs. In order to use these libraries properly, you better need to know basic cryptography concepts.
We used react-native-keychain to read/write data from keychain. Keychain is the way to go if you want to store some small sensitive data. It has been used in all Apple OS's in order to keep your passwords safe. That said this component is not working as seamless as expected on the Android side if you want to build your app for both platforms.
Other than that I have no idea about expo. I hope these libraries work for you as well.
I am developing a app that uses XMPP. The XMPP server (openfire) is configured to archive all messages so they can be fetched later.
We are facing a problem to decide how to implement end-to-end encryption.
We are willing to use PKI, but the client can access the chat from a mobile app and/or from a browser.
Using PKI only a specific client cand decrypt the message because the private key was generated by this specific client.
Example: If the user access the app from an Android device (where the keys were generated) how will the browser version decrypt the archived messages? (the same user is accessing the two versions)
Can anyone help me with that? Even a different approach is welcome.
I would recommend a scheme based on OpenPGP (RFC 4880). For XMPP this could mean using:
XEP-0373: OpenPGP for XMPP
XEP-0374: OpenPGP for XMPP Instant Messaging.
XEP-0373 allows you to securely synchronize the secret key(s) accross devices. You can either re-use the same key across all devices of the same user, or create a key per device.
Disclaimer: I'm one of the authors of XEP-0373 and XEP-0374.
I am trying to figure out how to handle the credentials for reconnection process for a chatserver from a mobile device, i know the credentials probably has to be stored in the device.
I am wondering if the password is encrypted before they are stored? But as whatsapp and these chat do not require a password on open,so i am assuming they don't or they use a unique value per device to store them?
Both iOS and Android offer file encryption features for developer to encrypt / protect sensitive data. It is typically used to store local password.
You should make sure on Android that your are using the proper file storage mode: http://developer.android.com/training/articles/security-tips.html
and you should look for Keychain on iOS: https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html