Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people have no idea about how to achieve data storage security in Android. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Common data Storage methods and example Files in 0x01

The most direct way to store data is to store data in the phone as a file. Android development is mainly based on Java. Therefore, basic operations such as file reading and writing are the same, and file operation and data flow are derived from java.IO.*,. But for Android, developers need to pay attention to the following points:

1. Each application in the file directory Android rights management has its own storage space, and the storage structure is as follows:

2. Common file directories and paths

/ data/data/ (packageName) / cache directory application cache file, directory acquisition method: File cache = getCacheDir ()

/ data/data/ (packageName) / files directory, that is, apply general files, the directory acquisition method: File file = getFilesDir ()

/ data/data/ (packageName) / shared_prefs directory, which stores the location of the application SharedPreference file directory

/ data/data/ (packageName) / databases directory, application database directory (SQLite)

/ storage/emulated/0/sdcard built-in SD card directory, acquisition method: String sdcard = getInnerSDCardPath ()

/ storage/extSdCard external SD card directory, obtain method: String exsdcard = Environment.getExternalStorageDirectory () .getPath ()

In Android phones, there is a clear way to obtain the default SD card directory, but because the Android phone itself does not necessarily support an external SD card, or has / does not insert an external SD card, you need to pay attention to the holes when obtaining the external SD card, one is to avoid exceptions, and the other is to distinguish between internal and external.

Key: location. When saving user or application data through a file, we should first follow the rules of Android development and select the external storage according to the type of file in the application directory. When storing in the SD card, avoid saving directly in the root directory, so as to avoid confusion in the management of users' mobile phone files; second, to prevent files from being modified or deleted.

Database

Android database adopts SQLite,SQLite, which is a lightweight database built into mobile devices and a relational database management system that complies with ACID (atomicity, consistency, isolation, persistence). In Android development, the query modification function of data storage can be realized through SQLiteOpenHelper or custom class SQLiteOpenHelper. In addition, the SQLite database supports encryption operations, which can be encrypted through sqlite3.exe or SQLiteConnection. SQLiteEncrypt, SQLiteCrypt, SQLCipher and other tools provide encryption operations to the database, but the first two require a fee. SQLCipher is an open source tool and the GitHub address is: SQLCipher; encrypts through the SQLiteConnection class as follows:

SQLiteConnection conn = new SQLiteConnection ("Data Source=TestDatabase.sqlite;Version=3;"); conn.SetPassword ("password"); conn.open (); SharedPreferences storage

SharedPreferences storage is a way to store lightweight data in Android, which is stored internally in Map, and the saved data is stored in the local / data/data/ (packagename) / shared_prefs folder in xml format. SharedPreferencevalue supports the basic operation types of Java, such as Boolean, Int,Float and so on. The file lightweight data requires that the value size of the saved data should not be too large. Too much data will bring pressure on the system GC and memory, and even cause stutters in Activity programs.

SharedPreferences pref = getSharedPreferences ("test", MODE_PRIVATE); SharedPreferences.Editor editor=pref.edit (); SharedPreferences.Editor editor=pref.edit (); editor.putString ("name", "root"); / / Save the string editor.putInt ("age", 12); / / Save the integer data editor.commit (); / / the first parameter in the putXXX method is key, and the second parameter is valueSharedPreferences pref = getSharedPreferences ("setting", 0); pref.getInt ("key_name",-1) / / getting Integer pref.getFloat ("key_name", null); / / getting Float pref.getLong ("key_name", null); / / getting Long / / getXXX method the first parameter represents the key name, and the second represents the value default 0x02 Android encryption algorithm and its implementation

DES, symmetric encryption, in the same way, 3DEShope3DES carries out triple encryption on the basis of DES, sacrificing efficiency to improve encryption security.

/ / DES encryption [] encrypt ([] data,String key) {{[] bkey = key.getBytes (); / / initialization vector IvParameterSpec iv = IvParameterSpec (bkey); DESKeySpec desKey = DESKeySpec (bkey); / / create a key factory to convert DESKeySpec to securekey SecretKeyFactory keyFactory = SecretKeyFactory.getInstance (); SecretKey securekey = keyFactory.generateSecret (desKey); Cipher cipher = Cipher.getInstance () / / initialize the Cipher object cipher.init (Cipher., securekey, iv) with the key; / / now, get the data and encrypt / / encrypt the operation cipher.doFinal (data);} (Throwable e) {e.printStackTrace ();};} / DES decrypt [] decrypt ([] src, String key) Exception {[] bkey = key.getBytes () / / initialization vector IvParameterSpec iv = IvParameterSpec (bkey); / / create a DESKeySpec object DESKeySpec desKey = DESKeySpec (bkey); / / create key factory SecretKeyFactory keyFactory = SecretKeyFactory.getInstance (); / / convert DESKeySpec object to SecretKey object SecretKey securekey = keyFactory.generateSecret (desKey); / / Cipher object actually completes decryption operation Cipher cipher = Cipher.getInstance () / / initialize the Cipher object cipher.init (Cipher., securekey, iv) with the key; / / actually start the decryption operation cipher.doFinal (src);}

AES Advanced encryption Standard, which is used to replace DES's symmetric encryption algorithm.

/ / AES encryption [] encrypt ([] data, [] key) {{KeyGenerator kgen = KeyGenerator.getInstance (); / / create Key producer kgen.init (128b, SecureRandom (key)) for AES; / / key producer SecretKey secretKey = kgen.generateKey (); / / generate key according to key [] enCodeFormat = secretKey.getEncoded (); / / return key in basic encoding format SecretKeySpec aesKey = SecretKeySpec (enCodeFormat,) / / convert to AES key Cipher cipher = Cipher.getInstance (); / / create codec cipher.init (Cipher., aesKey); / / encode cipher.doFinal (data) initialized to encryption mode;} (NoSuchAlgorithmException e) {e.printStackTrace ();} (NoSuchPaddingException e) {e.printStackTrace ();} (InvalidKeyException e) {e.printStackTrace () } (IllegalBlockSizeException e) {e.printStackTrace ();} (BadPaddingException e) {e.printStackTrace ();};} / AES decryption [] decrypt ([] data, [] key) {{KeyGenerator kgen = KeyGenerator.getInstance (); / / create Key producer kgen.init (128, SecureRandom (key)) for AES; SecretKey secretKey = kgen.generateKey () / / generate a key [] enCodeFormat = secretKey.getEncoded () according to the user's password; / / return the key SecretKeySpec aesKey = SecretKeySpec (enCodeFormat,) in the basic encoding format; / / convert it to AES private key Cipher cipher = Cipher.getInstance (); / / create the codec cipher.init (Cipher., aesKey); / / initialize the codec into decryption mode / / decrypt cipher.doFinal (data) } (NoSuchAlgorithmException e) {e.printStackTrace ();} (NoSuchPaddingException e) {e.printStackTrace ();} (InvalidKeyException e) {e.printStackTrace ();} (IllegalBlockSizeException e) {e.printStackTrace ();} (BadPaddingException e) {e.printStackTrace ();};}

Symmetric encryption is characterized by fast implementation efficiency, but because the encryption / decryption keys are the same, there are many problems in key preservation, distribution and security, such as key management and key disclosure. Based on this, the encryption key and the decryption key are separated to form an asymmetric encryption in which the client encrypts with the public key and the server decrypts with the private key, and the encryption key does not have to worry about the risk of disclosure. Commonly used asymmetric encryption algorithms such as RSA.

Implementation of RSA encryption and decryption

/ generate public and private keysKeyPair buildKeyPair () NoSuchAlgorithmException {keySize = 2048; KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance (); keyPairGenerator.initialize (keySize); keyPairGenerator.genKeyPair ();} / / RSA encryption [] encrypt (PrivateKey privateKey, [] data) Exception {Cipher cipher = Cipher.getInstance (); cipher.init (Cipher., privateKey); / / encryption cipher.doFinal (data) } / / RSA decryption [] decrypt (PublicKey publicKey, [] enData) Exception {Cipher cipher = Cipher.getInstance (); cipher.init (Cipher., publicKey); / / decrypt cipher.doFinal (enData);}

Among the commonly used data encryption methods, md5 and sha-256 algorithms are usually encountered, but these algorithms are the hash value of plaintext. The essence of hash algorithm and encryption algorithm is whether it is reversible or not, that is, plaintext is obtained from ciphertext by operation. In particular, base64 coding is an encoding format that has no security except for increasing the difficulty of readability.

Advanced Security of 0x03 Storage

In the above introduction, the commonly used Android data storage methods and encryption algorithms are introduced directly into Android storage security. In practical applications, data storage security is a systematic problem of replication, not only in development, but also in data storage security from data structure to coding and key generation and management.

Hidden Android of a file creates a hidden file or folder, adding a "." before the file name or folder name. Number is fine (here is under the English input method. Hidden files / folders can be read and written directly. This is a problem that is easy to be overlooked by developers. At first glance, it doesn't seem to be difficult. The problem lies in the perspective of developers and users. Since the Android phone comes with a file viewer by default, users can easily view and modify files in the sdcard directory. When using hidden files, the greatest effect is to avoid misoperation.

If the key is saved in the mobile phone file, or written in the code by hard coding, it is easy to be reversed. In general, the symmetric encryption key needs to be saved in the user's mobile phone, which is contrary to security. Usually the best way is not to keep the key, but to use fixed data or strings as encryption key factors, such as the user's unique account attribute.

The Android code is mainly encoded by Java. When packaging the file, the Java code is packaged into a dex file to prevent it from being installed in the package file, but the dex file is easy to be reversed back to the smali code or Java file. Although the current confusion and shelling and even virtual machine protection (VMP) technology has been very mature, simple reverse work can not obtain code logic and hard-coded strings, but Java code still has a high security risk. Therefore, it is necessary to implement the operations related to encryption and decryption through Native code, which not only ensures efficiency but also has higher security on top of so protection technology.

Thoughts on 0x04 Android data Security

With the in-depth development of mobile Internet, the current mobile applications are undergoing qualitative changes. Compared with the initial brutality and barbarism of prosperity, mobile applications now begin to consider security and quality, especially in the current situation of Internet information security in China. Data security is related to the premise of the survival of enterprises and applications. It is very important to protect application data security. In the security of Android data storage, due to the security mechanism of Android system, users can access all directories of mobile phones, including private directories of applications, after obtaining root permissions. Therefore, data storage should consider a white-box environment or an untrusted environment. In this case, the key of data encryption becomes the key. One machine, one secret, dynamic key, key white box and other means have their own advantages and disadvantages. One machine and one secret need to protect the logic of key generation method; dynamic key needs to consider key timeliness, validity and link security; key white box is not widely recognized, so its compatibility and security needs to be tested.

After reading the above, have you mastered how to achieve data storage security in Android? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.