I am looking into making my user data secure for android. I come across keyczar. I found the android-keyczar-demo provided by Kenny Root who gives talk on android security at google-IO. However I have a nagging question. Since the keys are packaged in the app, isn't it the case that malicious user can also use that key to decrypt the sensitive data? From keyczar doc, keyczarTool is a command-line tool to create the keys, so it seems that it is not meant to be packaged in the app? I have noticed that keyczar's key can be password protected. However it comes back to hard coding the password in the source code. What am I missing to understand here?
using keyczar in android
2.1k Views Asked by Win Myo Htet At
1
There are 1 best solutions below
Related Questions in ANDROID
- Creating global Class holder
- Flutter + Dart: Editing name of a tab shows up a black screen
- android-pdf-viewer Received status code 401 from server: Unauthorized
- Sdk 34 WRITE_EXTERNAL_STORAGE not working
- ussd reader in Recket Native module
- Incorrect display of LinearGradientBrush in IOS
- The Binary Version Of its metadata is 1.8.0, expected Version is 1.6.0 build error
- I can't make TextInput to auto expand properly in Android
- Creating multiple instances of a class with different initializing values in Flutter
- How to create a lottie animation
- making android analyze with coverity sast tool
- Flutter plugin development android src not opening after opening example
- I initialize my ViewModel in the Activity with several fragments as tabs, but the fragments(tabs) return null for the updated livedata
- Node.js Server + Socket.IO + Android Mobile Applicatoin XHR Polling Error...?
- How I can use the shared preferences class?
Related Questions in ENCRYPTION
- Is TLS enough for client server encryption or if dealing with sensitive data, its better to add ur own encryption also. for example leverage AWS SSM?
- Secure Messaging Implementation in C#
- File splitting and encryption
- Large file processing in the web browser
- Java code of AES/GCM/NoPadding encryption algorithm with authentication tag
- AES-256-CBC encryption returning different result in Python and PHP , HELPPP
- Why are encrypted stored procedures taking a long time to execute in SQL Server 2022?
- Why/How does Apache auto-include "DHE" TLS1.2 ciphers while nginx needs "dhparams" file?
- Encrypt in Single Store and Decrypt in SQL Server
- Is it possible to develop a Transparent Data Encryption(TDE) system on macOS now?
- How can I ensure incremental changes in deciphered messages in Python substitution cipher decoding?
- Getting Error Message as "the input string is not a complete block" while Decryting using AES
- Laravel: How to fix "the MAC is invalid" on local environment
- How to encrypt a string and decrypt it using a password
- Willena's sqlite-jdbc-crypt driver for sqlite3 database encryption
Related Questions in CRYPTOGRAPHY
- Secure Messaging Implementation in C#
- How to verify JWS (x5c chain) is signed by apple using Jose
- How to Safely Use Crypto.subtle Property for Local Testing Without Security Risks?
- OpenSSL3.0 RSA Signature Verification in C
- npm install tulind in my crypto server side
- how i need place arg in code for funtion send?
- Mbed TLS: in-place en-/decryption for OAEP doesn't seem to work
- Cannot test cryptographic performance using crypto_aesni_mb
- Installation Private Blockchain
- Encountered this error while implementing NTT cpp code: terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc
- Cryptography Notion - Diffie-Hellmann
- Hash password with another password
- How to convert CryptAcquireContext to .NET 8 using System.Security.Cryptography methods
- Error "Cannot find module 'crypto'" in WalletConnect module
- Why do some cryptographic signature npm packages (like superdilithium) convert text to an array of integers before signing?
Related Questions in SALT
- How to define the output of salt status
- how to debug salt and salt-call issue?
- Install External Python Module into Salt Execution Module
- In .net how can i make a own Login + Register (hashing + salt)?
- MySQL - How to generate a hashing password with salt in caching_sha2_password format
- Can I properly get a salt with Node.js crypto.getRandomValues method?
- Should a password salt be stored in a database
- Unattended_Windows_Update state.apply missing two points
- Does FusionAuth use a random salt for each password in Salted PBKDF2 HMAC SHA-256?
- decrypting using openssl api with iter, default pad and salt
- If an Hacker get salt and our hashed password from a database, why can't he hack the password?
- Salt - Unable to run Powershell commands in non-interactive mode
- How is there a negative salt or verified generated here while confirming a device for AWS Cognito?
- data and salt required : hashSync
- How does per user password salting work without transmitting the password as plain text?
Related Questions in KEYCZAR
- How to decrypt AES-CBC encrypted data with Google Tink?
- Is there a way to call Google Keyczar from node.js?
- Get resource folder in java war file
- RSA keyczar and js
- Can I decrypt data which is encrypted by Keyczar using Google Tink?
- Python 2.7 cannot import Crypto
- c++ encrypt a text with a key received over packet? keyczar?
- using keyczar in android
- Does keyczar python library provide functionality to verify signatures signed using x509 PEM certificates?
- How to easily encrypt and decrypt a String using Tink?
- How to include an external library into your project properly
- What type of file does "/path/to/your/key" refer to?
- Adding keyczar as a Maven dependencies in NetBeans
- How to use EncryptedCharfield
- Asymmetric encryption for Android using KeyCzar
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
What you are missing is that you can't semantically keep the key secret from your users if you also want those same users to be able to decrypt. That's why DRM will never work.
The reason keyczar has the keytool is that an important part of security is changing your key over time, and so keyczar provides a way to rotate your keys without breaking functionality.
The PBE keysets are there so that a user can enter a password to decrypt, it is definitely not intended to be hard coded. That way given a keyset for an app, you can protect the data from an adversary while providing decryption to your user, by requiring your user enter a password. (Unfortunately this feature is only present in the C++, Go, and C# versions of keyczar--not currently in the java version).
Also if you don't want every user to have the same key you don't have to include the keyset with your app, you could also generate it installation. But encryption in the mobile space is difficult, it's hard to say without knowing what you are trying to do, if it's possible for you to secure what you want or if keyczar is the right fit.