6 comments

[ 448 ms ] story [ 3357 ms ] thread
Hey guys I worked on Conceal, AMA
This looks nice, but ISTM it would be most useful when used in concert with other facilities. For example, does FB have any preferred tool/method for managing keys in this environment? I've never done any Android coding, but I hear that lots of people screw up this part...

EDIT: whoops, I didn't see jffry's question before; apparently this occurs to many people.

Conceal ships with a default Keychain implementation which stores the key in SharedPreferences in the internal storage. You can totally customize this if you want to store this in a DB or somewhere else.

We realize that most apps already have their own implementation of caches and we'd rather look at this as a library that helps extend the app specific storage into external storage without letting other apps read this data.

If you're encrypting the data, you're encrypting it with some sort of key, which itself has to be stored on the device. Is that code sample using an Android library to get some secret key that is only accessible to the app in which it was generated, and no other app?
Conceal ships with a default Keychain implementation which stores the key in SharedPreferences in the internal storage. You can totally customize this.
Can this be used to hide API keys? It's fairly trivial to decompile an APK file. As another poster pointed out the key for Conceal would need to be stored somewhere also.

Any ideas or best practises of hiding API keys? Google has not turned up much. This Stackoverflow suggests storing keys remotely, but surely that too would be trivial to hack:

http://stackoverflow.com/questions/10203910/anti-hack-soluti...