Nodrex
commented
1 year ago Open Nodrex opened 1 year ago
Nodrex
commented
1 year ago Nodrex
commented
1 year ago Nodrex
commented
1 year ago Nodrex
commented
1 year ago Nodrex
commented
1 year ago Nodrex
commented
1 year ago Nodrex
commented
1 year ago To hide the pre-shared key in your Android app, you can use various techniques to make it more difficult for attackers to find the key. Here are a few options:
Use Android's build system to store the key: You can use Android's build system to store the pre-shared key as a build configuration variable. This way, the key is not stored in the app's source code and is only accessible during the build process. To do this, you can add a line like the following to your build.gradle file:
android {
defaultConfig {
// Add this line to store the key as a build configuration variable
buildConfigField("String", "PRE_SHARED_KEY", "\"your_key_here\"")
}
}Then, in your code, you can access the pre-shared key like this:
String preSharedKey = BuildConfig.PRE_SHARED_KEY;
This approach makes it more difficult for attackers to find the key in your app's code or resources, but it's not completely secure.
Use encryption to obfuscate the key: Another option is to encrypt the pre-shared key and store the encrypted value in your app's code or resources. Then, when your app needs to use the key, it decrypts the value in memory. This approach can be more secure than storing the key in plain text, but it still requires your app to have the decryption key somewhere in its code.
Use a third-party obfuscation tool: There are third-party tools available that can obfuscate your app's code and resources to make it more difficult for attackers to reverse-engineer your app and find the pre-shared key. Examples of such tools include ProGuard and DexGuard. However, these tools can add complexity to your development process and may impact app performance.
Nodrex
commented
1 year ago We can also use JWT (JSON Web Token) which is built in Ktor project:
To use JWT authentication in a Ktor server and communicate with it from an Android client, you can follow these general steps:
Implement JWT authentication in your Ktor server: In your Ktor server, you can use the Authentication feature provided by Ktor to implement JWT authentication. You can define a JWTPrincipal that contains the user information, and use a JwtConfig to generate and verify JWT tokens. Here's an example:
val jwtConfig = JwtConfig(secret)
install(Authentication) {
jwt {
verifier(jwtConfig.verifier)
realm = "ktor-jwt"
validate {
val payload = it.payload
val subject = payload.getClaim("sub").asString()
val roles = payload.getClaim("roles").asList(String::class.java)
JWTPrincipal(subject, roles)
}
}
}Generate JWT token on Android client: In your Android app, you can use the jwt library to generate a JWT token. You can use the JwtBuilder to set the claims in the payload and sign the token with the secret key. Here's an example:
val claims = Jwts.claims()
claims["sub"] = "user123"
claims["roles"] = listOf("admin", "user")
val token = Jwts.builder()
.setClaims(claims)
.signWith(SignatureAlgorithm.HS256, secret)
.compact()
Send JWT token in HTTP requests: In your Android app, you can send the JWT token in the Authorization header of your HTTP requests to authenticate with the Ktor server. Here's an example:
val request = Request.Builder()
.url("https://example.com/api")
.addHeader("Authorization", "Bearer $token")
.build()val response = client.newCall(request).execute() On the Ktor server side, you can use the authenticate function to extract the JWT token from the Authorization header and authenticate the user. Here's an example:
get("/api") {
val principal = call.authentication.principal<JWTPrincipal>()
if (principal != null) {
val subject = principal.payload.getClaim("sub").asString()
val roles = principal.payload.getClaim("roles").asList(String::class.java)
// Do something with user info
} else {
call.respond(HttpStatusCode.Unauthorized)
}
}
We need to security our server from dos attacks and this kind of stuff