I've developed an application which use OAuth2 with https protocol.
The user's token is saved on SharedPreferences.
I wanna know if saving user's token is critical security problem or not?
and encrypting SharedPreferences is a good solution or not?
SharedPreferences of your application can be accessed by other application in your device, therefore shared preference is not a secure place to save sensitive information.
Yes encrypting your token before adding it to the SharedPreferences is always a good idea.
Related
Apparently you can't use cookies to store your Sessions or JWTs in iOS's UIWebView / Android's WebView. After looking it up online, it seems like the accepted solution is to store it in LocalStorage. This obviously has serious XSS implications, as secure and sensitive information is not supposed to be stored in LocalStorage.
Has someone figured out a secure way to implement a login system in a hybrid app that stores either the Session identifier or JSON Web Token? I'm surprised that there are no good resources on this.
I use a token that is returned after the user logs in. It is generated on the server sided and stored in the database. Then it is also stored in local storage, and expires after a set amount of time. I then include that as a header with all of the future API calls.
We have an app that every time asks user to enter PinCode before authenticate.
Now we want to integrate authentication process with Google FingerPrint API.
We have looked documentation. But in all this implementations we have one truble. So, we want to authenticate user if fingerPrint returns success . But authentication on our system have to go only with PinCode.
So, Where i can save user PinCode securely so that, if FingerPrint returns success to read PinCode decrypt and sent to server?
Take it into account that Shared Preferences is not secure enought.
Shared Preferences is an option for this. But please read up on Shared Preferences Security if you do go for this.
For as noted by user Shuddh, there are a number of ways to gain access to the Shared Preferences. I think it is a good plan to encrypt it.
I'm developing an android app in which user is authenticated using XAuth token.I don't want to store this token in SharedPreference or SQLite.because it stores data as a plain text.How to store token in android device.
Use secure SharedPreferences. It's not bullet proof, but vastly increases the security.
Find an explanation here: https://github.com/scottyab/secure-preferences
Where do I need to store the authentication token which will be submitted with each request in an Android application? I'm asking for a secure storage location, for example iphone has keychain, is there an equivalent service in Android? Is storing in shared preferences secure or not?
In Android 4.3+ there is something called AndoridKeystore which is roughly equivalent to iOS key chain. Here's a good blog write up of it and official API sample project.
In general if your create your shared preferences with Context.MODE_PRIVATE they are only accessible by your application (or other app signed by your key). However if the device is rooted they the user and any app could potentially read your app's private shared preferences.
I helped create and maintain a library called secure-preferences to obfuscate key and values that are stored in the shared preferences to make it harder for attackers and require then to reverse engineer the app (although that's not rocket science). A good alternative to secure-preferences is CWAC-prefs by Mark Murphy which is backed by SQLcipher.
I want to create a user account on first launch in a wizard and store that in a settings. Something like the account creation wizard in an email app. What is the best way to do?
Should I create a layout where I collect these inputs on first launch and store in Preferences?
A settings menu can be provided in the options key, so the Preferences can be edited.
Is that the right approach?
You can save user details in SharedPreference. Only concern should be security of passwords if you are saving it. Your application's shared preference is sandboxed by default, so your data is safe from other apps.. But a determined/inspired hacker with root access can get any data from any app in an android phone.
For password
1) Either you can use a web service, and store the password in server. During every login process, you can send the username/password to server and validate. This is the best approach if your application is using internet. This option has the simple advantage that you are not saving sensitive data on phone itself.
2) Other option is to store password encrypted. You can use this option if your app doesn't use internet one bit, and you are not ready establish a server for authentication process. There is no absolute security in Android, but saving encrypted does boost the security level.