Simple symetric scheme: Encrypt the data in the client and store the encrypted data in the server.
The client never exposes it's secret key (hashed user enter password) stored in pinned memory (not possible on Android afaik but you should try). Provide an encryption SDK to make client development easier. Problem is that the data in the server is encrypted so indexing and sorting don't work. Asymeteric encryption: Is is possible to come up with more complex schemes using PKI where the server and client exchange certificates (or just public keys) and the data is encrypted by the client for the server (which can unencrypt if it needs to store it in the clear for indexing - not recommended) and by the server for the client. -- Richard On Jul 10, 12:47 pm, Raj <[email protected]> wrote: > thanks for the replies... > > @Yuliy, > > how can i get the PID of the calling process from the received intent? > I'm afraid i cant find the relevant methods for the steps you mention. > Could you point me to the right documentation? > > @Dirk, > Unfortunately, signature based permissions wont fullfill the > requirements for my application. The clients accessing my server wont > be signed with the same key :-( > So I need to know the "identity", which i think in Android's case is > the package name with which the clients are installed (I'm assuming no > two applications will be allowed to be installed with the same package > name in Android - is this correct?). > > My project is to build a "server" app which can provide a "safe box" > for other applications to store some data and retrieve it later on. To > make this secure and ensure that "malicious" apps dont get the data > from the server app, I need an unforgeable identity for the clients > from the Android OS (I cant rely on the clients to give me their real > "identity" when requesting for data from the server app). > > Any ideas how to accomplish this? > > On Jul 10, 2:35 am, Dirk Sigurdson <[email protected]> wrote: > > > If your two packages are going to be signed by same key you can use > > signature based permissions. Just create your own permission and then check > > that the caller has been granted that permission inside your server. > > Signature bases permissions will only be granted to packages that are > > signed with the same key as the package that declared the permission. > > > Dirk > > > On Tue, Jul 6, 2010 at 3:10 AM, Raj <[email protected]> wrote: > > > Hi, > > > > I'm new to android and currently trying to write two simple > > > applications: a client and a server. > > > The client sends a hello in an intent (startactivity_for_result) to > > > which the server responds with a message. > > > Is there a way for the server to reliably check from the received > > > intent that the intent was indeed sent by my client and not by some > > > other application on the phone? I tried different methods, for > > > instance, to get the package name of the client sending the intent > > > (since the package name is known to me), but couldn't get this info > > > from the intent. > > > > From the android documentation i see that you check only if a > > > particular intent was granted the necessary permission by Android. > > > There is nothing about the "identity" of the intent sending app. > > > > Is there way to authenticate the apps sending intents at the handling > > > side? > > > > Cheers, > > > Raj
