发表新帖
发表新帖

Should you use AccountManager for storing Usernames and Passwords for an Android app?

后端 未结
关注
2 636
暖寄归人
暖寄归人 2020-12-08 15:58

I would like to know if one should implement AccountManager to save user credentials such as username, email, passwords etc. I can\'t find a good reason to use

相关标签:
2条回答
  • 深忆病人
    2020-12-08 16:20

    This accepted answer to this question would probably help you... What should I use Android AccountManager for?

    It should also be pointed out, as mentioned in the above post and also in AccountManager without a SyncAdapter? , that you can't have an AccountManager without a SyncAdapter, so its probably not good to use this for your particular situation.

    I can't see any reason to use an AccountManager specifically for storing this type of information - at the end of the day, its no different to manually storing the data yourself in your own database or file. If anything, it probably complicates things - why don't you just store it in SharedPreferences?

    The only reason I could think of that would encourage the use of AccountManager would be if you want to share your account across a number of different apps, as the data is stored in the central Android datastore which can be accessed by all apps. However, if this isn't required, I think its probably easier and simpler to just use SharedPreferences

    0 讨论(0)
  • 小蘑菇
    2020-12-08 16:21

    Overview

    Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB.
    A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.

    But even the AccountManager is not fully secured in case of lost phone for example, see this for more info.

    Good practice(s)

    • I would recommend to use the AccountManager and not store the password in clear but the hash.
    • And for a better level of security it's even better to store a device dedicated token delivered by the webservice and associated to the account (on the webservice side) and enable the user to revoke the token.

    Not good

    • Do not store a clear or even hashed password as a file or in a DB accessible by anyone.
    • Never store a clear password but always work with a hash instead.

    See also

    • What protects Android AccountManager passwords from being read by other apps?
    • http://developer.android.com/training/articles/security-tips.html#Credentials
    0 讨论(0)
 看不清?
提交回复
热议问题