0

I am deciding the mechanism to protect Android App and data. I did some research, but don't know if below solutions are enough or not. See if any expert can provide me some advice:

For SQLite database-level protection: Use SQLCipher

For SQLite data-level protection: Use AES256 to encrypt and decrypt (But don't know where to store the secret key is better?)

For Android data to Web Service(PHP): Use SSL and Post method

For Web Service(PHP) Json to Android: Use SSL and Post method

To prevent Android APK to re-engineering: Use Proguard

To make Web Service(PHP) can only access by the Android app: Hard-code a secret key inside the app, send it in HEAD with SSL everytime to the server. Or use android application licensing?

Thanks!!!

Improve this question

1 Answer 1

Reset to default
2

For SQLite database-level protection: Use SQLCipher

Correct.

For SQLite data-level protection: Use AES256 to encrypt and decrypt (But don't know where to store the secret key is better?)

You could but it might not be that necessary since SQLCipher already do the job on data protection in database-level. But if you do want to do double encryption, AES256 could do the job for you. Store the key somewhere that is hard to decode: ndk or in Java code. But don't forget to encrypt secret key as well. Decrypt it when you want to use.

For Web Service(PHP) Json to Android: Use SSL and Post method

Not enough. It is still be able to do repeated request attacked. Add two more mechanics, nonce (number used once) and request signing to your API. It will be far more safe.

For Android data to Web Service(PHP): Use SSL and Post method

SSL + Post + nonce + Request Signing + Certificate Pinning (to prevent man-in-the-middle attack).

To prevent Android APK to re-engineering: Use Proguard

Correct.

To make Web Service(PHP) can only access by the Android app: Hard-code a secret key inside the app, send it in HEAD with SSL everytime to the server. Or use android application licensing?

Just attach some variable, that indicated that the transaction was sent from your android app, to the request.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your detail explanation nuuneoi. It looks very great. I have searched Google many times, but find it difficult to find any tutorials of nonce + Request Signing + Certificate Pinning. Do you have any links about these. Thanks. By the way, thanks for your great help nuuneoi
The android-security-cookbook contains step by step guide to setting up SSL pinning, key management and encryption. Disclaimer I wrote these app security chapters.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.