Although I've been programming for a while I've never faced security issues before, and when I read about what I need for my app, it's not clear to me why they apply those techniques. Basic functions:
From Android:
→ I encrypt files that I send to the server, later I receive those same files again and I have to be able to decrypt them.
From Server:
→ I save those encrypted files to return them when necessary and also to decrypt them.
The AES key to encrypt / decrypt must be known by Android and server.
To solve this I found a solution:
- Encrypt anything with AES and the encryption key at the same time encrypted with RSA, the keys are sent and changed by request
- Save the RSA public and private keys in Android keystore, in order to encrypt / decrypt
- Use the Diffie-Hellman encryption
And I use SSL and AES for the files with a key per user that is generated in Android and that I send to the server when I sign up, I would like to know if what I do is considered safe, and if the reason for using all those techniques is for not using SSL