Important: Unless you have a very particular use-case, do not encrypt passwords, use a password hashing algorithm instead. When someone says they encrypt their passwords in a server-side application, they’re either uninformed or they’re describing a dangerous system design. Safely storing passwords is a totally separate problem from encryption. Be informed. Design safe systems. Portable … Read more
No. MD5 is not encryption (though it may be used as part of some encryption algorithms), it is a one way hash function. Much of the original data is actually “lost” as part of the transformation. Think about this: An MD5 is always 128 bits long. That means that there are 2128 possible MD5 hashes. … Read more
Security Warning: AES-256-CBC does not provide authenticated encryption and is vulnerable to padding oracle attacks. You should use something like age instead. Encrypt: openssl aes-256-cbc -a -salt -pbkdf2 -in secrets.txt -out secrets.txt.enc Decrypt: openssl aes-256-cbc -d -a -pbkdf2 -in secrets.txt.enc -out secrets.txt.new More details on the various flags
In general SharedPreferences are your best bet for storing preferences, so in general I’d recommend that approach for saving application and user settings. The only area of concern here is what you’re saving. Passwords are always a tricky thing to store, and I’d be particularly wary of storing them as clear text. The Android architecture … Read more
When encrypting, you use their public key to write a message and they use their private key to read it. When signing, you use your private key to write message’s signature, and they use your public key to check if it’s really yours. I want to use my private key to generate messages so only … Read more
UPDATE 23/Dec/2015: Since this answer seems to be getting a lot of upvotes, I’ve updated it to fix silly bugs and to generally improve the code based upon comments and feedback. See the end of the post for a list of specific improvements. As other people have said, Cryptography is not simple so it’s best … Read more
Share the password (a char[]) and salt (a byte[]—8 bytes selected by a SecureRandom makes a good salt—which doesn’t need to be kept secret) with the recipient out-of-band. Then to derive a good key from this information: /* Derive the key, given password and salt. */ SecretKeyFactory factory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA256”); KeySpec spec = new PBEKeySpec(password, … Read more
UPDATE: Using HTTPS is now exempt from the ERN as of late September, 2016 https://stackoverflow.com/a/40919650/4976373 Unfortunately, I believe that your app “contains encryption” in terms of US BIS even if you just use HTTPS (if your app is not an exception included in question 2). Quote from FAQ on iTunes Connect: “How do I know … Read more
Well, you could look it up in Wikipedia… But since you want an explanation, I’ll do my best here: Hash Functions They provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. It can be anything from a simple crc32, to a full blown cryptographic hash function such … Read more
Please consider long and hard if you can’t get around implementing your own cryptography The ugly truth of the matter is that if you are asking this question you will probably not be able to design and implement a secure system. Let me illustrate my point: Imagine you are building a web application and you … Read more