Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I want to develop a mobile bank app (windows phone, android, ios) that interact

ID: 657868 • Letter: I

Question

I want to develop a mobile bank app (windows phone, android, ios) that interact with bank channel. first time when user opens application the key exchange process begins and at end of this process a long-term SymmetricKey generates and must store in mobile device. all of request that sends to server encrypt with this key. if someone can steal the SymmetricKey he/she can hijack the user session. in simple way i can store SymmetricKey in plain text format. another solution is that define a MasterKey in Code (Hardcode) and encrypt the SymmetricKey with the MasterKey. but in this solution there is exists exactly one MasterKey for several instance of app that installs in different devices. if some one can decompile the mobile app code and retrieve MasterKeyhe/she can retrieve SymmetricKey Again . what is the best solution for store sensitive data in mobile application? i read about some method that belongs to mobile os that guarantee that data is securely stored but all the of them needs to user set Profile Account (eg : Protect() and Unprotect() in windows phone that needs hotmail account to be set). can i generate different master keys per different device?

Explanation / Answer

For android phones, there is a credential storage that allows you to store keys. It runs as a system daemon and uses AES to encrypt the keys. The keys are tied to the UID of the app that created it so other rogue apps are unable to access these keys.

For iOS, there is a similar keychain which serves a similar purpose. It is also encrypted and sandboxed so applications can only retrieve their own keychain items.

Do not store the symmetric key in plain text. Although application storage in android is only accessible to the app itself, there is a probability that user may move the app to the SD card which is then fair game for all apps with the permissions to access the SD card.

I do not think a master key is necessary since the credential storage and keychain both provide encryption already.

However, it might be good to use the symmetric key as a shared secret to negotiate a new session key for every session probably through Diffie

Related Questions

I want to check if the data are correct. Especially for the system total. I just
Question #1780219
I want to check my answer (my professor is a stickler) and was hoping to get a s
Question #1940812
I want to check my answers against someone who really knows! Thanks What is the
Question #831028
I want to check my answers and make sure this is correct. I am questioning a cou
Question #3059597
I want to check my answers to these problems? 1. What is the pH of solution when
Question #679207
I want to clear on a concept Dorsal horn sends info to the antereolateral system
Question #206062
I want to collect all the names from table Bookings and WaitingList for a specif
Question #3832513
I want to compare the sorting speed in java and c++ using an array. I have a pro
Question #3748014
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I want to develop a Java Web application with a similar architecture to Jenkins.
Next
I want to develop a system, something like a comment system for a website, that

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.