Developing For Android, Secure Data Transfer Best-practice

I'm searching for a best practice for securely sending data FROM a remote server TO an android device. This data needs to be secure from anyone sniffing the wire, and I expect HTTP

Solution 1:

If you do not have physical control of a device, then you cannot make it 100% secure. Plain and simple.

HTTPS will help you with the transport, but if you are saving data on the local machine (even in temp / garbled format), sooner or later someone is going to try to get at it.

I suggest that you sending the (next) question and the possible answers to the client then send back the chosen answer to the server and let the server decide if it is right or wrong. Rinse and repeat until all questions are done and then show final score.

Solution 2:

It it indeed an impossible task to secure information present on the device. All you can really hope to do is make it harder than someone wants to bother with.

However, if you literally mean a quiz, and don't want to send the answers to the server for validation, it occurs to me that you could use a one-way hash function such that there never is a plaintext official answer present on the phone. Instead, the user's offered answer is run through the function and compared to a hashed official answer.

That would be subject to dictionary attacks of course. If the space of potential answers was quite larger you could make it computationally expensive enough that manually solving all the questions would be faster - however, my guess is that the answer space won't be big (since answers would have to be character for character exact) - you might even be talking multiple choice. In that case a dictionary attack would be fast, and the real work would be reverse engineering the apk enough to identify the one-way hash function, or getting the apk going in an emulator where the input can be programmatically scripted to do the dictionary attack.