What is the best way to hide the keystore password in Android?

Question

I\'m new to Android development and implementing SSLSockets. After doing some digging I was able to setup a simple server/client that is working. The implementation I feel

Answer 1

Well this is not an easy problem to begin with.

You could for example request the password from the user on application startup so that the password is not hardcoded in your code.I think this is the most secure approach.

If this is not possible, then your problem arises if someone has access to the jars and "sees" the code and subsequently the password. You could delegate to the user protecting these jars.

If this is not possible then you could encrypt the password and store it somewhere. Then in your code you hard code the key to decrypt the password. So someone looking into the jar can not see your real password.Only the decryption key. Of course if one put real effort he could get the key and try to find where the password is located and decrypt it and get the key but it requires more effort to do.

In the end it depends on what security requirements you have

Answer 2

If you truly want to protect the users credentials then you must ask them to verify their identity whenever you want access to the credentials. However most users will get annoyed if you ask them for their password every time they login, so you as the developer must decide how much you care about security vs providing a simple easy interface for your users.

One option you could consider is to store the passwords but to encrypt the password using a PIN provided by the user. Then whenever the user wants to access their password they simply provide the PIN, which you use to decrypt the password.