I'm working on a app for Android that makes use of files encrypted with AES. I want to provide the user with the ability to scan their fingerprint to decrypt instead of providing their password.
From what I've understood, it's possible to store persistent data in Android's keystore. So my initial idea was to store the password for the file in the keystore and then use a successful fingerprint auth to retrieve this password. Problem is, I haven't been able to figure out how to first auth using a fingeprint and then only return the password if the fingerprint auth succeeded. Is this possible?
I imagine local auth is useless in this case considering I need unique data to encrypt/decrypt the file?
Or is there another way to do this?
Related
I want to use one secure key to encrypt and decrypt data on device without saving it in SharedPreferences or DataStore. I want to generate that key using in app authorization (passcode and biometrics).
I know generating secure key with biometrics is possible using AndroidKeyStore. I know I can generate another key by using passcode. Is there any cryptographic way to use one of those keys to encrypt/decrypt local data?
I have tried generating keys with biometrics and passcode. But I could not find a way to encrypt and decrypt data with either of those keys. For example: user logs in and sets passcode and fingerprint. App should encrypt data so it could be decrypted using one of those authentication methods.
I am wondering how do other secure Android apps solve this problem. Can someone provide me an example where could I look into that?
I'm trying to understand how to implement bio-metric authentication on an app, specifically using a fingerprint.
From what I understood so far the API only provides 3 different information: auth failed, auth success and no fingerprint registered in device.
I am not trying to get any information from the user's bio-metric data, but I cannot find anywhere explained how to relate a user's bio-metric information with his login.
So far I can only think of a way that I could make this work and that would be to require a first time registration before being able to use fingerprint in future logins in which the following takes place:
User enters login data in a form (name and password, for example)
Using the fingerprint success response that information is stored
locally after verifying if the login data is correct on the server
side
Problem with this is that the user's credentials are vulnerable now since it is stored locally and although I could use my own encryption process I fear it would not be more secure because I'd still need to store the encryption algorithm locally with the app in order to encrypt/decrypt that information.
How can I associate the user's bio-metric data / auth success with his login credentials?
I think you are on the right track. All you would need to do, on the initial prompt to enter login credentials, would be to save those credentials in the Android KeyStore (not KeyChain). The KeyStore has encryption options for encrypting the data, so, you don't have to code for that. Then, in the future, if the user's biometrics authenticate, retrieve the KeyStore, decrypt it and go.
You shouldn't store any user's credential locally.
The correct way to implement login by Biometric(fingerprint/face ID) is using Asymmetric Keypair in coordinate with Backend APIs, and user must login by username & password first, then enable login by Biometric option.
For detail implementation, you can refer
https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html
In my application, upon user successful authentication using OAuth I need to store the access token returned by the REST API. I was thinking of using the keystore to store this token for further use in the application. But so far I havent seen an implementation which stores already generated keys using android keystore APIs. Is there any example or code snippet which stores already generated tokens.
Also if I use keystore to store the access tokens, can the rooted phone users gain access to these tokens?
Thanks.
The following blog post provides a very good explanation on how to go about doing this.
http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html
Also it should not matter if a rooted phone user can gain access to these tokens if they are encrypted. Fortunately, Android's system keystore daemon encrypts keys using AES.
In developing an Android application that will store certain user date into a sqlite database, how should I handle a user password securely? How can I encrypt the password so that it does not appear "in the clear" in the database, but so I can decrypt it in the application when needed.
Storing user credentials in a database presents many security challenges. You may want to consider an alternative (e.g. using OAuth 2.0 Authentication). We don't need yet another Android app with security vulnerabilities. Here is a ref for OAuth 2.0 Authentication from Google.
While one alternative that many folks do use is to "hash" the username and password using an algorithm like SHA-1 (MD5 has some vulnerabilities, though it is also used often)
The best approach would be to store SHA-2 (or some other type of hash) of the password, and then compare those hashes instead of the actual decrypted passwords.
Storing passwords is a bad practice and is not secure even if they are encrypted. Remember, everything can be broken. The best you could do is to make things more difficult for the hacker.
I have a preexisting website which I want my android app to login too. I want the app to remember username and password after a user has logged in so they don't have to keep entering their credentials each time they go on the app. How can I store the password 100% safely?
The app will only allow users to upload images whereas the website stores paypal and card information so it's very important that if someone was to lose their phone and it happens to end up in the wrong hands they wont be able to extract their password. Would the password need to be decrypted on the other end?
First of all, you can't store a password 100% safely.
There is a nice blog here about secure credential storage. http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html
For the password to be encrypted on the other end you would either need to use a single common master key or have some form of key exchange with the server.
Either that or decrypt the password locally and then send it via HTTPS.
Instead of storing login and password store only some kind of auth id, something like in OAuth and ask for password always when accessing PayPal / card and other private informations.
The better way to do this is to use MD5 hash. You can hash the password and then unhash it in your .php file when you receive the request to auth the user.
Plus, there is no problem to store a hash password in database (SQLite, MySQL, etc.)