What is the best way to hide keystore passwords in Android?
I am new to Android development and implementing SSLSockets. After doing some digging, I was able to set up a simple server/client that worked fine. I feel that this implementation may require some work, and it is difficult to understand how to load passwords into the keystore without plain text. Here is some code for the client. As you can see, I’ve hardcoded the password into a local variable. Is there a better way to load the keystore password so I don’t use it in plain text in my code?
char [] KSPASS = "password".toCharArray();
char [] KEYPASS = "password".toCharArray();
try {
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), KSPASS);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, KEYPASS);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Arrays.fill(KSPASS, ' ');
Arrays.fill(KEYPASS, ' ');
KSPASS = null;
KEYPASS = null;
Update:
It turns out that the client doesn’t need to know the keystore password at all. I modified the code to pass in null as password. So far, preliminary tests have communicated with the server. On the server side, I still load the keystore password.
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), null);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, null);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Solution
Well, it’s not an easy question to get started.
For example, you can request a password from the user when the application starts, so that the password is not hard-coded in your code. I think this is the safest method.
If this is not possible, then if someone can access the jar and “see” the code and subsequent password, then your problem arises. You can delegate to the user who protects these jars.
If this is not possible, then you can encrypt the password and store it somewhere. Then hardcode the key in your code to decrypt the password. So people who view the jar can’t see your real password. Only the decryption key. Of course, with real effort, he can get the key and try to find where the password is located and decrypt it and get the key, but this requires more effort.
In the end, it depends on what security needs you have