android - Decrypt strings encrypted with a SecretKey, when the key is no longer accessible -


i have interesting situation here. app stores sensitive info input user such social service account of theirs. use master password input user generate secretkey, , use aes encryption , store sha1 hash , encrypted data on device, not master password or key.

the issue in case user forgets password, there secret question can answer , change master password. when master pass changed, since previous password (and associated secretkey) forever gone, can't decrypt stored strings , show decrypted data user.

here solutions can think of:

1 - store password, have heard totally unsafe.

2 - store secretkey, have heard unsafe too.

3 - store user data in database unencrypted, unsafe guess.

4 - wipe entire database everytime user forgets password, silly think.

i need way overcome , can't think of secure way pull off. crucial solved app fly. , appreciated.

well it's bit unfair remove of user's data because forgot password.

then shouldn't storing stuff in container requires passphrase. next, you'll argue should able open wall safe using hockey ticket stub , chewing gum, because might forget combination lock.

please note line of inquiry assumes approach described in opening paragraph correct way build app has security characteristics desire.

for example, right answer meet requirements not encrypt data @ all, instead force user have device full-disk encrypted. can use devicepolicymanager see if device has full-disk encryption enabled, , can refuse run if not. then, data encrypted, rest of device, no longer having deal passphrases , recovery scenarios — that's google , device manufacturers.

isn't there other way decrypt data?

only if have vulnerability in app (a.k.a., backdoor). ticket-stub-and-chewing-gum scenario. point behind encrypting data make cannot encrypted without passphrase or equivalent security key.

so, approach app dump key stuff , use keystore. particularly on devices hardware-backed keystore, there's no way @ key, short of unlocking device. here, don't have worry full-disk encryption (as you're encrypting data) , don't have worry user forgetting key (because user never has key). saves having have user enter passphrase. can't readily data (as it's useless without key), , if user's device run on bakery truck or otherwise destroyed, data gone. provide options user key (e.g., removable media), reliant upon them remembering stored backup, storing backup key securely, etc.

or make same secretkey before?

since nobody knows how creating this, nobody can answer question.

i suggest read this paper, outlines how 88% of android apps surveyed, tried cobble own crypto approach, screwed up.


Comments

Post a Comment

Popular posts from this blog

node.js - Using Node without global install -

i'm working on few node & electron (atom shell) projects , i'm curious how them work without user having install node globally. i've seen few applications including node directory in project contains node.exe binary. how go setting node project use binary? edit: thought should add, i've searched everywhere answer this, unrelated results.
Read more

How to access a php class file from PHPFox framework into javascript code written in simple HTML file? -

i've website developed using phpfox v3.0.7 . now i'm trying implement 'sse(server sent events)' 1 of php files. reference i'm giving below necessary code part of file. file titled process.class.php , present @ location /var/www/module/notification/include/service/process.class.php present on server having ip http://34.124.40.142/ . <?php /** * [phpfox_header] */ header('content-type: text/event-stream'); header('cache-control: no-cache'); defined('phpfox') or exit('no dice!'); /** * * * @copyright [phpfox_copyright] * @author raymond benc * @package phpfox_service * @version $id: service.class.php 67 2009-01-20 11:32:45z raymond_benc $ */ class notification_service_process extends phpfox_service { /** * class constructor */ public function __construct() { $this->_stable = phpfox::gett('notification'); } public function add($...
Read more

java - Null response to php query in android, even though php works properly -

Image
table i'm trying retrieve above data using 2 php files below. want pass email parameter , return bets user = email. work fine when tested advanced rest client, problem not php. however, when try through android 2 java classes below, null pointer exception (logcat below) , json object returned null. i'm not sure error is, think i'm not passing parameter php , that's why it's producing null response. logcat 05-31 15:10:50.227 26074-26074/com.example.albert.betterapp e/androidruntime﹕ fatal exception: main process: com.example.albert.betterapp, pid: 26074 java.lang.runtimeexception: unable start activity componentinfo{com.example.albert.betterapp/com.example.albert.betterapp.displayallbets}: java.lang.nullpointerexception @ android.app.activitythread.performlaunchactivity(activitythread.java:2292) @ android.app.activitythread.handlelaunchactivity(activitythread.java:2350) @ android.app.activitythread.acce...
Read more