How to implement Java 256-bit AES encryption with CBC

Question

I\'ve read the following threads and they\'ve helped a little, but I\'m looking for a little more info.

How to write AES/CBC/PKCS5Padding encryption and decryption w

Answer 1

Done similar projects in a midlet before, I have following advice for you:

1. There is no secure way to store shared secret on the phone. You can use it but this falls into a category called Security through Obscurity. It's like a "key under mat" kind of security.
2. Don't use 256-bit AES, which is not widely available. You might have to install another JCE. 128-bit AES or TripleDES are still considered secure. Considering #1, you shouldn't worry about this.
3. Encryption using a password (different for each user) is much more secure. But you shouldn't use password as the key like you are showing in the example. Please use PBEKeySpec (password-based encryption) to generate the keys.
4. If you are just worried about MITM (man-in-the-middle) attacks, use SSL.