Is It Safe To Store The Encryption/decryption Key Into A Static Variable?

- 1 answer

I am developing an app in Android Studio and I am passing data from server to phone via JSONs.

Is there a way for me to encrypt JSON data?

Is it safe to store the encryption/decryption key into a static variable? If not where should i store the keys in Android?

None of theses SO questions below helped me:

Can I encrypt my JSON data?

Encrypt json data



It is absolutely NOT safe to store the encryption/decryption key into a static variable.

For this kind of communication, rather than one secret (symmetric) key being shared between the server and your app (which you have to arrange and keep track of), an asymmetric key pair is used. A key pair is a private key and the corresponding public key.

Let's pretend you only need to encrypt data going one way, from the server to the app: Your app generates a random, dispensable, temporary key pair, and sends the public key to the server. The server can then use that public key to encrypt the message that it is sending back to the app, without ever seeing the private key, and the message can only be decrypted with the private key, which never left the app. The public key cannot be used to decrypt, only encrypt.

If that key pair was created just for that exchange, then it can be thrown away and a new pair established for communication at any time (or after an expiration date/time).

That said, this is all done automatically, in both directions with https connections. So, setting that up would probably cover your needs. You're kind of re-inventing the wheel, otherwise. Unless you want that kind of strict control over the security. Even then, do both!

**Note: The above explanation is for conceptual purposes. Strictly speaking, https uses the Diffie-Hellman key exchange to send public keys between client and server (as stated above), but those are used to compute a shared symmetric key, which is more efficient, computationally.