Developer ForumDeveloper BlogAtlas

Security for Android

A look at security configuration for Brand Messenger on iOS

Suggest Edits

Encryption Delegate

Android SDK's default encryption and storage.

The Android SDK receives and sends several secure tokens during its login and lifecycle as shown in the Authentication section.

Without custom implementation, the SDK stores those tokens and passwords in private SharedPreferences after encryption using AES cipher from an RSA key pair from javax.crypto, java.security and android.security modules.

The SDK offers a way to bypass this default behavior if the customer chooses to implement their own encryption and storage solution.

KBMEncryptionDelegate

BrandMessengerManager class has a setEncryptionDelegate method which once implemented, will hand off encryption and storage of auth-token KBM_USER_AUTH_TOKEN, password KBM_PASSWORD and device-key KBM_DEVICE_KEY to the delegate instead of handling them inside the SDK.

BrandMessengerManager.setEncryptionDelegate(this, new KBMEncryptionDelegate() {
    @Override
    public boolean putSecureValue(String key, String value) {
        // return false is storing value fails.
        return true;
    }

    @Override
    public String getSecureValue(String key) {
        return "";
    }

    @Override
    public boolean hasSecureValue(String key) {
        return false;
    }

    @Override
    public void clearAll() {
    }
});

BrandMessengerManager.setEncryptionDelegate(context, object: KBMEncryptionDelegate {
    override fun putSecureValue(key: String?, value: String?) {
    }

    override fun getSecureValue(key: String?): String {
        return ""
    }

    override fun hasSecureValue(key: String?): Boolean {
        return false
    }

    override fun clearAll() {
    }
})

The SDK will continue to handle encrypting and storing application-id & company-key in its secure storage.

Certificate Pinning

The SDK provides a way to pin certificates against the Authentication Handler and Messaging endpoints. It is turned off by default. On every app launch, enableDefaultCertificatePinning(context) must be called in order to start pinning.

These endpoints can be customized, but must be done before calling enableDefaultCertificatePinning. This is a permanent customization, and will require reinstalling the app to return those endpoints to their default values.

BrandMessengerUserPreference.getInstance(this).setCustomAuthHandlerUrl("messaging-auth.khoros.com");
BrandMessengerUserPreference.getInstance(this).setUrl("brandmessenger.khoros.com");
BrandMessengerManager.enableDefaultCertificatePinning(context);

Updated 11 months ago