-1

I have Facebook and Google login in my application, I use my backend server to store data about the user, such as name and status.

I am sending the token along side with some info like user points, the server uses the token identifies the user and does his work just fine.

Before publishing the app i want to encrypt everything, I know I can use SSL however my provider charges A LOT of money for SSL support.

My idea was to genarate a RSA Keypair, save the private on a safe place, and have the public in the apk.

I can generate encrypt and decrypt using rsa within my app very easily, but I'm not an expert in php i tried a lot of things to decrypt stuff in server side but i can't figure it out how to do it.

I have one Keypair generated by android, i used,

getPublic().getEncoded() getPrivate().getEncoded()

How can if use the private key in php to decrypt and encrypt data?

I know that this may not be the best way to do things but i think i won't have a problem, the target audience is really far from hackers.

Improve this question
3
  • What does "i want to encrypt everything" mean? Data in transit, data in on the device, data on the server, something else? Commented Aug 14, 2016 at 11:54
  • In transit, this is to avoid token theft or score manipulation, i have a json array with the token and score, i want to be able to protect this in transit, i am able to encrypt on the phone, but i can't decrypt in the server Commented Aug 14, 2016 at 14:20
  • Then the correct answer is HTTPS. There is let's encrypt, somewhat of a hassle with renewals or pay for a certificate, that is the price of security. Also pi the certificate to prevent MITM attacks. Security is neither free or easy but your users deserve it. Commented Aug 14, 2016 at 15:22

2 Answers 2

Reset to default
1

Because you added the tag PHP, i am assuming that you have some kind of rest api running that you are calling from your android app. Now you don't need encrypt and decrypt in PHP. Those are handled by your web servers. As far as ssl goes have a look at let's encrypt which is opensource. Enforcing ssl alone on web server is pretty good security measure.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

from what i am reading i think i need shell access to install this, i don't have it, i can upgrade to a better server in the future but now i am stuck with the basic linux hosting
@TiagoOliveira The choice is your cost vs the user's security. If you are not going to provide HTTPS security explicitly tell the users that their logins are not secure because you can't afford it.
0

I think i achived what i was tring to do, login is 100% handle by facebook and google via https, i only use tokens to identity the user in my server and increment the score

1- Token and score is encrypted and sent to the server
2- Using the private key the server finds the token and i use https to make calls to Facebook or Google to retrieve the user id and increment the score

Note that all data stored in my server is 100% public, i don't store private information about anyone, i just want to protect the token, if someone gets the token and starts to make a lot of calls it may reach the facebook limit of 200 calls/hour per user, making my app inoperable.

I will upgrade to SSL in the future, when i start to earn revenue from the app

Android

String pubKeyPEM = "***"; public void something(){ String sendToServer = Base64.encodeToString(RSAEncrypt("test"),0); } public byte[] RSAEncrypt(final String request) throws Exception { PublicKey publicKey = getPublicKey(); cipher = Cipher.getInstance("RSA/None/PKCS1Padding"); cipher.init(Cipher.ENCRYPT_MODE, publicKey); return cipher.doFinal(plain.getBytes()); } public PublicKey getPublicKey() throws Exception { PublicKey publicKey; byte[] decoded = Base64.decode(pubKeyPEM, Base64.DEFAULT); KeyFactory kf = KeyFactory.getInstance("RSA"); publicKey = kf.generatePublic(new X509EncodedKeySpec(decoded)); return publicKey; }

PHP

$privkey = '-----BEGIN RSA PRIVATE KEY-----'; function decrypt($data){ global $privkey; if (openssl_private_decrypt(base64_decode($data), $decrypted, $privkey)) $data = $decrypted; else $data = ''; return $data; }

The private key will be moved to a safer place, but this is working just as i wanted

my server is also checking if the token was generated by my app id, so if someone tries to use a diferent token, it will show a diferent app id.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.