Im working on an app that need to send a set username and password, along with some encrypted data. I obviously dont want to hard code the user/pass combo, so I thought id encrypt the combo before hand and only hard code those values. The problem Im seeing though is that I still have to hard code the encryption key. This would allow anyone to decompile the apk, get the encrypted combo and the key, and decrypt the combo giving them full access to our server.
My question is, how do I make this truly secure? The key I would imagine HAS to be hardcoded into the app, I dont see any way around this.
This is my first work with encryption, so if im missing something obvious, I apologize, but Ive doe quite a bit of research and Im just not seeing anything.
You can’t bake keys or anything into the app for the reason you mention. What you do is when the app first loads you have the user/ app register and then it gets a random key that you use.
Note that you have to have some way of preventing users from registering who did not buy the app. You could use their gmail account for this or I think android supports subscriptions.