I’m searching for a best practice for securely sending data FROM a remote server TO an android device. This data needs to be secure from anyone sniffing the wire, and I expect HTTPS to handle this much. The real concern I have is this…
The data will be consumed by the app, but the real content hidden from the user. Think of it as if the user is taking a test, and the app has downloaded all the possible answers (and knows which one is correct). Obviously, you would not want the user to be able to sniff the traffic to discover which answer is correct, nor would you want the user to be able to reverse engineer the app and find the super-secret decryption key used to decipher the data.
This may be an impossible task, but are there any good methods for really locking down this kind of sensitive data? I know these days nothing is safe, not even the blu-ray decryption key. But maybe someone could point me in the right direction.
If you do not have physical control of a device, then you cannot make it 100% secure. Plain and simple.
HTTPS will help you with the transport, but if you are saving data on the local machine (even in temp / garbled format), sooner or later someone is going to try to get at it.
I suggest that you sending the (next) question and the possible answers to the client then send back the chosen answer to the server and let the server decide if it is right or wrong. Rinse and repeat until all questions are done and then show final score.