Best option to store username and password in android app

Question

I am developing an Android app where the user needs to sign in to perform operations. But mostly on an android handset, people use \"Keep me signed in\", In

Answer 1

Follow below steps :

1> create checkbox in xml file.
 <CheckBox
                android:id="@+id/cb_remember"
                android:layout_width="wrap_content"
                android:layout_height="wrap_content"
                android:layout_gravity="center"
                android:layout_marginTop="@dimen/_25sdp"
                android:background="@drawable/rememberme_background"
                android:buttonTint="@android:color/white"
                android:paddingLeft="@dimen/_10sdp"
                android:paddingTop="@dimen/_5sdp"
                android:paddingRight="@dimen/_10sdp"
                android:paddingBottom="@dimen/_5sdp"
                android:text="REMEMBER ME"
                android:textColor="@android:color/white"
                android:textSize="@dimen/_12sdp" />

2> put this below code in java file.
  cb_remember.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
            @Override
            public void onCheckedChanged(CompoundButton compoundButton, boolean b) {
                if(b){
                    Log.d("mytag","checkbox is-----true----");
                    Prefs.getPrefInstance().setValue(LoginActivity.this, Const.CHECKBOX_STATUS, "1");
                    String userName =Prefs.getPrefInstance().getValue(context, Const.LOGIN_USERNAME, "");
                    String password =Prefs.getPrefInstance().getValue(context, Const.LOGIN_PASSWORD, "");
                    Log.d("mytag","userName and password id----"+userName +"         "+password);
                    edt_user_name.setText(userName);
                    edt_pwd.setText(password);

                }else{
                    Log.d("mytag","checkbox is-----false----");
                    Prefs.getPrefInstance().setValue(LoginActivity.this, Const.CHECKBOX_STATUS, "0");
                }
            }
        });

3> add this below code in java file before we check the checkbox.
  String stst =Prefs.getPrefInstance().getValue(LoginActivity.this, Const.CHECKBOX_STATUS, "");
        Log.d("mytag","statyus of the checkbox is----"+stst);
        if(stst.equals("1")){
            cb_remember.setChecked(true);
        }else{
            cb_remember.setChecked(false);
        }

Answer 2

Yes, this is tricky on Android. You don't want to store the plaintext password in the preferences, because anyone with a rooted device will basically be displaying their password to the world. On the flip side, you can't use an encrypted password, because you'd have to store your encryption/decryption key somewhere on the device, again susceptible to the root attack.

One solution I used a while back is to have the server generate a "ticket" which it passes back to the device, which is good for a certain period of time. This ticket is used by the device for all communication, using SSL of course so people can't steal your ticket. This way, the user authenticates their password on the server once, the server sends back an expiring ticket, and the password is never stored anywhere on the device.

Several three-legged authentication mechanisms, like OpenID, Facebook, even Google APIs, use this mechanism. The downsides are that every once in a while, when the ticket expires, the user needs to re-log in.

Ultimately, it depends on how secure you want your application to be. If this is simply to distinguish users, and no super-secret information is being stored like bank accounts or blood types, then perhaps saving the pwd in plaintext on the device is just fine :)

Good luck, whatever method you decide is best for your particular situation!

Edit: I should note that this technique transfers the responsibility of security to the server - you'll want to use salted hashes for password comparison on the server, an idea you'll see in some of the other comments for this question. This prevents the plaintext password from appearing anywhere except the EditText View on the device, the SSL communication to the server, and the server's RAM while it salts and hashes the password. It's never stored on disk, which is a Good Thing(tm).

Answer 3

The safest way to do this without jeopardizing security is to use the shared preferences to store ONLY the username of the last person to login in.

Also, in your table of users, introduce a column that holds numeric boolean (1 or 0) to represent whether the person checked the person checked the "remember me" checkbox or not.

When launching your app get the username using the getSharedPreferences() function and use it to query your hosted database to see whether the signedin column is either 1 or 0 , where 1 indicates the person checked the "remember me" checkbox.

Answer 4

I wanted to save the password in the SharedPreferences , so I implemented it privately first like the code below

public class PrefManager {

  private SharedPreferences pref;
  private SharedPreferences.Editor editor;

  public PrefManager(Context context) {
    pref = context.getSharedPreferences("PROJECT_NAME", Context.MODE_PRIVATE);
    editor = pref.edit();
  }

}

and to save the password, I used an algorithm to encrypt and decrypt

encrypt algorithm

 public void setPassword(String password) {
      int len = password.length();
      len /= 2;
      StringBuilder b1 = new StringBuilder(password.substring(0, len));
      StringBuilder b2 = new StringBuilder(password.substring(len));
      b1.reverse();
      b2.reverse();
      password = b1.toString() + b2.toString();

    editor.putString("password", password);
    editor.apply();
  }

decrypt algorithm

  public String getPassword() {
    String password = pref.getString("password", null);
    int len = password.length();
    len /= 2;
    StringBuilder b1 = new StringBuilder(password.substring(0, len));
    StringBuilder b2 = new StringBuilder(password.substring(len));
    password = b1.reverse().toString() + b2.reverse().toString();
    return password;
  }

NOTE:

In this simple algorithm, I split the password from the middle into two pieces, turned it upside down, and put it back together. It was just an idea and you can use your own algorithms to change how to save the password.

FULL CODE

import android.content.Context;
import android.content.SharedPreferences;

public class PrefManager {

  private SharedPreferences pref;
  private SharedPreferences.Editor editor;

  public PrefManager(Context context) {
    pref = context.getSharedPreferences("PROJECT_NAME", Context.MODE_PRIVATE);
    editor = pref.edit();
  }
  public String getPassword() {
    String password = pref.getString("password", null);
    int len = password.length();
    len /= 2;
    StringBuilder b1 = new StringBuilder(password.substring(0, len));
    StringBuilder b2 = new StringBuilder(password.substring(len));
    password = b1.reverse().toString() + b2.reverse().toString();
    return password;
  }

  public void setPassword(String password) {
      int len = password.length();
      len /= 2;
      StringBuilder b1 = new StringBuilder(password.substring(0, len));
      StringBuilder b2 = new StringBuilder(password.substring(len));
      b1.reverse();
      b2.reverse();
      password = b1.toString() + b2.toString();

    editor.putString("password", password);
    editor.apply();
  }
}

Answer 5

At the very least, store it in SharedPreferences (private mode) and don't forget to hash the password. Although this won't really make a difference with a malicious user (or rooted device), it's something.

Answer 6

Using NDK for encryption and decryption along with defining the String Key variable there instead of saving it in the shared preferences or defining it ins the string xml would help to prevent secret key stealing against most of the script kiddies. The resulted cipher text would be then stored in the shared preferences. This link may help about the sample code