Best option to store username and password in android app

Question

I am developing an Android app where the user needs to sign in to perform operations. But mostly on an android handset, people use \"Keep me signed in\", In

Answer 1

Google offers the mechanism of the AccountManager. This is the standard mechanism to use for creating accounts. The login data is then stored where Android finds it suitable, e.g. if the device is offering a secured zones, it will be used. Of course rooted devices are still an issue, but at least this is using the standard mechanism and not something self baked which is also not befitting from Android system updates. This also has the advantage that the account is listed in the Android settings, another positive features is the "sync" feature which enables an account to sync data between the app and the backend system, so you get more than just the login.

Apart from this using a username and password is not the best option anymore. All better apps are using OAuth nowadays. Here the noteworthy difference is that the password is just transmitted once during the login in exchange of an access token. The access token has usually an expiration date and can also be revoked on the server. This mitigates the risk that the password is intercepted and it is not stored on the device. Your backend should support this.

Answer 2

 //encode password
 pass_word_et = (EditText) v.findViewById(R.id.password_et);
 String pwd = pass_word_et.getText().toString();
                byte[] data = new byte[0];
                try {
                    data = pwd.getBytes("UTF-8");
                } catch (UnsupportedEncodingException e) {
                    e.printStackTrace();
                }
                String base64 = Base64.encodeToString(data, Base64.DEFAULT);
                hbha_pref_helper.saveStringValue("pass_word", base64);

 //decode password
 String base64=hbha_pref_helper.getStringValue("pass_word");
            byte[] data = Base64.decode(base64, Base64.DEFAULT);
            String decrypt_pwd="";
            try {
                 decrypt_pwd = new String(data, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                e.printStackTrace();
            }

Answer 3

As others have said there is no secure way to store a password in Android which protects the data fully. Hashing/encrypting the password is a great idea but all it will do is slow down the "cracker".

With that said, this is what I did:

1) I used this simplecryto.java class which takes a seed and a text and encrypts it. 2) I used SharedPreferences in private mode which protects the saved file in non-rooted devices. 3) The seed I used for simplecryto is an array of bytes which is a little bit harder to find by decompilers than a String.

My application was recently reviewed by a "white hat" security group hired by my company. They flagged this issue, and indicated I should be using OAUTH but they also listed it as a LOW risk issue, which means it's not great, but not bad enough to prevent release.

Remember that the "cracker" would need to have physical access to the device AND root it AND care enough to find the seed.

If you really care about security, don't have a "keep me logged in" option.

Answer 4

You could use EncryptedSharedPreferences from the Jetpack security library. It works great for key-value type settings.

It wraps SharedPreferences, providing secure encryption/decryption while maintaining the same API as SharedPreferences.

As in their example:

  String masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC);

  SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
      "secret_shared_prefs",
      masterKeyAlias,
      context,
      EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
      EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
  );

  // use the shared preferences and editor as you normally would
  SharedPreferences.Editor editor = sharedPreferences.edit();