0

I have files on the server that is encrypted with AES. I am developing iOS and Android apps to decrypt and process those files in the phone or tablet. To decrypt files on the client apps, I have to use/store the same AES keys in the app. That means I have to put my AES keys in the code so I can directly use from source or ship to client device so I can store there. Keeping/Shipping Encryption keys in the code is bad idea but I need those keys to process files.

How can I securely keep keys in my code? Or is there any other way to obtain my AES keys in the client so I can decrypt files?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Walt S.
  • 29
  • 3

1 Answers1

1

You are right to be suspicious of this process. Android apps are super easy to decompile, so you should assume that any keys that are embedded in the app might as well be posted in a public blog.

Without more information on why you need to encrypt the data files it's hard to give detailed advice. A usual way to solve similar problems is to use public-key encryption. Each client app generates its own public key, and when it requests the data from the server, the server encrypts it specifically for that client, using their public key.

Unless there's details that make your problem more complex, you could probably accomplish this by using standard PGP libraries to generate client keys, and to encrypt / decrypt the files.

Community
  • 1
Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209