You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 22, 2018. It is now read-only.
This is a method for key stretching. Increasing the size of short pin's and such. It takes me roughly 15 seconds to decompile the apk and get the actual key used for decoding. So it adds nothing to security. However, it adds about 100ms startup time.
Maybe using MODE_PRIVATE + a simple AES encryption with a predefined key is a better way to go here? Security won't be any worse than it is, and startup time won't suffer. If we later need to support an "extra secure" token type that requires a user's passphrase that needs to be different than the main token anyway. (Or we'd have to ask for a pin every time we start up the apps).
In the sdk examples this is used to initialize:
SPiDConfiguration config = new SPiDConfigurationBuilder()
.clientSecret("your-client-secret")
Then PBEKeySpec and SecretKeyFactory (from the http://android-developers.blogspot.no/2013/02/using-cryptography-to-store-credentials.html example?) is used to stretch the key, then it's used to decode content in the database.
This is a method for key stretching. Increasing the size of short pin's and such. It takes me roughly 15 seconds to decompile the apk and get the actual key used for decoding. So it adds nothing to security. However, it adds about 100ms startup time.
Maybe using MODE_PRIVATE + a simple AES encryption with a predefined key is a better way to go here? Security won't be any worse than it is, and startup time won't suffer. If we later need to support an "extra secure" token type that requires a user's passphrase that needs to be different than the main token anyway. (Or we'd have to ask for a pin every time we start up the apps).