

Conceal, a fast Android crypto lib for SD storage. - jamesgpearce
http://facebook.github.io/conceal/

======
infinite_snoop
Can this be used to hide API keys? It's fairly trivial to decompile an APK
file. As another poster pointed out the key for Conceal would need to be
stored somewhere also.

Any ideas or best practises of hiding API keys? Google has not turned up much.
This Stackoverflow suggests storing keys remotely, but surely that too would
be trivial to hack:

[http://stackoverflow.com/questions/10203910/anti-hack-
soluti...](http://stackoverflow.com/questions/10203910/anti-hack-solution-for-
a-secret-key-in-android-app)

------
subiye
Hey guys I worked on Conceal, AMA

~~~
jessaustin
This looks nice, but ISTM it would be most useful when used in concert with
other facilities. For example, does FB have any preferred tool/method for
managing keys in this environment? I've never done any Android coding, but I
hear that lots of people screw up this part...

EDIT: whoops, I didn't see jffry's question before; apparently this occurs to
many people.

~~~
subiye
Conceal ships with a default Keychain implementation which stores the key in
SharedPreferences in the internal storage. You can totally customize this if
you want to store this in a DB or somewhere else.

We realize that most apps already have their own implementation of caches and
we'd rather look at this as a library that helps extend the app specific
storage into external storage without letting other apps read this data.

------
jffry
If you're encrypting the data, you're encrypting it with some sort of key,
which itself has to be stored on the device. Is that code sample using an
Android library to get some secret key that is only accessible to the app in
which it was generated, and no other app?

~~~
subiye
Conceal ships with a default Keychain implementation which stores the key in
SharedPreferences in the internal storage. You can totally customize this.

