Splash-stack apps on Google Play

Brian Milby brian at milby7.com
Tue May 22 01:03:45 EDT 2018


The dictionary entries that you want are "encrypt using rsa", "decrypt
using rsa", and "messageDigest'.

High level process...
- Generate a public/private key pair
- Package the file that you want to ensure is not tampered with
- Generate a hash of the file (messageDigest)
- Encrypt the hash with your private key (encrypt using rsa)
- Store the encrypted hash along with the file to download (or possibly put
them both into a zip to make a single download)

- Store the public key inside the app
- Download the encrypted hash and the file
- Decrypt the hash using the public key (decrypt using rsa)
- Compare the decrypted hash with a calculated hash of the downloaded file
- If they match, then the file has not been changed

If you also want to utilize a similar process to secure the file itself
from viewing, then you will need to do something a little different.  The
dictionary suggests that a possible method would be to generate a random
key to actually encrypt the file (symmetric encryption - encrypt).  That
key would be encrypted with a public key.  The encrypted file and encrypted
key would be stored for download.  The app would use the private key to
decrypt the data encryption key.  Once the data encryption key was
obtained, the data could be decrypted.  You would want to use a different
public/private pair of keys for this operation.

This all sounds like a good project for a library (for use in an app) and a
stack (to handle the front end).  I didn't go checking to see if one
already existed though.

On Mon, May 21, 2018 at 10:24 PM, J. Landman Gay via use-livecode <
use-livecode at lists.runrev.com> wrote:

> @Mark, thanks so much for your post, it helps. When you get a chance it
> would be great to get more detail about how to set up the RSA keys. I'm
> sure I won't be the only person here who needs this, so you'll be helping
> everyone.
>
> I think I can find out how to generate the keys, but I'm not quite sure
> what to do with them after that, although I get the gist of it.
>
> On 5/21/18 1:15 PM, Mark Waddingham via use-livecode wrote:
>
>> P.S. I realize the above 'outline' of how to do code signing using PKI is
>> somewhat brief. I'll endeavour to write it up in more detail as soon as I
>> can.
>>
>
>
> --
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



More information about the Use-livecode mailing list