I am saving aws credentials in EncryptedSharedPreferences to avoid Google Play flagging
Your app(s) expose Amazon Web Services credentials.
Is there a way I can bundle the default values in EncryptedSharedPreferences without having to put them in the prefs after getting them from a remote server?
encryptedSharedPrefManager.getString("aws_access_key", ACCESS_KEY), // save these defaults in the prefs itself and ship with the app?
encryptedSharedPrefManager.getString("aws_secret_key", SECRET_KEY)
Related
I have an android app. I'm using json api to fetch data from database. But api credentials are stored in my app. I don't want it. Because there are some ways to show android source codes.
Are there any way fetch data securely but credentials are not stored in my app?
You can use Android Keystore.The Keystore is not used directly for storing application secrets such as password, however, it provides a secure container, which can be used by apps to store their private keys, in a way that’s pretty difficult for malicious (unauthorised) users and apps to retrieve.
How to use the Android Keystore to store passwords and other sensitive information
Where is the best place to store a password in your Android app
I've developed an application which use OAuth2 with https protocol.
The user's token is saved on SharedPreferences.
I wanna know if saving user's token is critical security problem or not?
and encrypting SharedPreferences is a good solution or not?
SharedPreferences of your application can be accessed by other application in your device, therefore shared preference is not a secure place to save sensitive information.
Yes encrypting your token before adding it to the SharedPreferences is always a good idea.
I'm developing an android app in which user is authenticated using XAuth token.I don't want to store this token in SharedPreference or SQLite.because it stores data as a plain text.How to store token in android device.
Use secure SharedPreferences. It's not bullet proof, but vastly increases the security.
Find an explanation here: https://github.com/scottyab/secure-preferences
My current process to secure iOS app connected to web service is the following.
iOS Client credentials (public id + secret) to access web service are stored into CloudKit public database (available only for my app)
At first launch, my app is securely retrieving credentials from CloudKit
On change from CloudKit, my app is automatically notified and can update stored credentials
Credentials are securely stored in keychain.
Like this, there is no credentials on my source code.
With Android, I can securely store credentials once retrieved. But how can I retrieve API credentials without storing them in my source code?
Thanks. :-)
My requirement is to store username and password in my application.
I am storing username and password using android accountmanager and I am not able to get any straight answers to following queries:
Do i need to encrypt credentials before storing them in
accountmanager?
Does android account manager uses any encryption machenism by default?
How secure are credentials while stored in account manager against rooting?
Yes
No, you need to use Cipher class to encrypt
If you are root, you can access data easily and get the key for encrypt data. The best is to store the key in some native lib, more difficult to disassemble native lib.