We have an app that every time asks user to enter PinCode before authenticate.
Now we want to integrate authentication process with Google FingerPrint API.
We have looked documentation. But in all this implementations we have one truble. So, we want to authenticate user if fingerPrint returns success . But authentication on our system have to go only with PinCode.
So, Where i can save user PinCode securely so that, if FingerPrint returns success to read PinCode decrypt and sent to server?
Take it into account that Shared Preferences is not secure enought.
Shared Preferences is an option for this. But please read up on Shared Preferences Security if you do go for this.
For as noted by user Shuddh, there are a number of ways to gain access to the Shared Preferences. I think it is a good plan to encrypt it.
Related
I'm trying to understand how to implement bio-metric authentication on an app, specifically using a fingerprint.
From what I understood so far the API only provides 3 different information: auth failed, auth success and no fingerprint registered in device.
I am not trying to get any information from the user's bio-metric data, but I cannot find anywhere explained how to relate a user's bio-metric information with his login.
So far I can only think of a way that I could make this work and that would be to require a first time registration before being able to use fingerprint in future logins in which the following takes place:
User enters login data in a form (name and password, for example)
Using the fingerprint success response that information is stored
locally after verifying if the login data is correct on the server
side
Problem with this is that the user's credentials are vulnerable now since it is stored locally and although I could use my own encryption process I fear it would not be more secure because I'd still need to store the encryption algorithm locally with the app in order to encrypt/decrypt that information.
How can I associate the user's bio-metric data / auth success with his login credentials?
I think you are on the right track. All you would need to do, on the initial prompt to enter login credentials, would be to save those credentials in the Android KeyStore (not KeyChain). The KeyStore has encryption options for encrypting the data, so, you don't have to code for that. Then, in the future, if the user's biometrics authenticate, retrieve the KeyStore, decrypt it and go.
You shouldn't store any user's credential locally.
The correct way to implement login by Biometric(fingerprint/face ID) is using Asymmetric Keypair in coordinate with Backend APIs, and user must login by username & password first, then enable login by Biometric option.
For detail implementation, you can refer
https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html
I have been trying to implement a login screen that takes a username and password.
Once the user has logged in once I want him to have the ability to login with the device owner's fingerprint.
I was wondering what would be the correct way of handling this login.
I could encrypt the username and password and save those to shared preferences and once a fingerprint that is authorized is entered I will insert the decrypted username and password (I am looking for a solution like ios keychain).
Should I go with this approach or there is a programmatic way to get the names and passwords.
I have already used a library which verifies if the fingerprint is recognized you can see it here:
https://proandroiddev.com/5-steps-to-implement-biometric-authentication-in-android-dbeb825aeee8
https://github.com/anitaa1990/Biometric-Auth-Sample
There are many way to create an authentication app. Using SharedPreference is also a way to create such apps. But, one limit of SharedPreference is it can only storage data in limited
memory space and data is offline (data is stored in local machine and can be lost if you uninstall app). There are many online library for online authentication, if you are learning or developing a small app then I recommend you to use Firebase Authentication. It can help you create user account, authenticate user by mail, phone number,...and also link to real time database, storage on cloud and many other services (if you need). Please refer following link to get more information about firebase!
https://firebase.google.com/docs/?authuser=0
I started to writing my first Android App.
I've tried to create a simple system which will allow user to get info, if he will authenticate with fingerprint.
I wrote fingerprint auth system to get confirmation if user is registered in the phone, but my question is: Is there any option to get "hash" of the fingerprint and store it for ex. in database to check if user should have access to the app?
I mean:
Database key: 123123123123ASDASDASDASD
Fingerprint key: 123123123123ASDASDASDASD
User has access to the app.
If read fingerprint key not equals stored in database, user doesn't have access to the app.
Is this even possile? - is there any other option to create system like above?
By DB, are you talking a local DB or a remote one? If remote- that's a horrible and insecure idea. You should never use a fingerprint to authorize someone on a remote device- all I need to do is get a copy of someone's fingerprint, pretend its mine, and send it as the hash to gain access. Fingerprint capture and authentication needs to be done on the same device.
If local its still a bad idea. All the functionality you need is built into the fingerprint and account APIs. Use them. Don't store people's private biodata in unsecured storage (a db is unsecured storage).
If I want to store the username and password to be used inside an Android application, what is the best way to do it? Is it through the preferences screen (but what if the user misses this?), or pop up a dialog box and ask the user for the credentials? If so, I do have to maintain state for the application. How would I do this?
Most Android and iPhone apps I have seen use an initial screen or dialog box to ask for credentials. I think it is cumbersome for the user to have to re-enter their name/password often, so storing that info makes sense from a usability perspective.
The advice from the (Android dev guide) is:
In general, we recommend minimizing the frequency of asking for user
credentials -- to make phishing attacks more conspicuous, and less
likely to be successful. Instead use an authorization token and
refresh it.
Where possible, username and password should not be stored on the
device. Instead, perform initial authentication using the username and
password supplied by the user, and then use a short-lived,
service-specific authorization token.
Using the AccountManger is the best option for storing credentials. The SampleSyncAdapter provides an example of how to use it.
If this is not an option to you for some reason, you can fall back to persisting credentials using the Preferences mechanism. Other applications won't be able to access your preferences, so the user's information is not easily exposed.
You should use the Android AccountManager. It's purpose-built for this scenario. It's a little bit cumbersome but one of the things it does is invalidate the local credentials if the SIM card changes, so if somebody swipes your phone and throws a new SIM in it, your credentials won't be compromised.
This also gives the user a quick and easy way to access (and potentially delete) the stored credentials for any account they have on the device, all from one place.
SampleSyncAdapter (like #Miguel mentioned) is an example that makes use of stored account credentials.
I think the best way to secure your credential is to first think of storing the Password with encryption in the account.db file which couldn't be easily available in non rooted devices and in case of rooted device the hacker must need the key to decrypt it.
Other option is do all your authentication like the way Gmail is doing. after the first authentication with the Gmail server . you got the Auth Token that would be use in case of your password . that token would be store in plain text.this token could be false in case you change the password from Server.
the last option I'd recommend you to enable 2-Factor Authentication & create Device Specific Password for your device. After losing device, all you need is to disable that device.
Take a look at What is the most appropriate way to store user settings in Android application if you're concerned about storing passwords as clear text in SharedPreferences.
You can also look at the SampleSyncAdapter sample from the SDK. It may help you.
Take a look at this this post from android-developers, that might help increasing the security on the stored data in your Android app.
Using Cryptography to Store Credentials Safely
With the new (Android 6.0) fingerprint hardware and API you can do it as in this github sample application.
These are ranked in order of difficulty to break your hidden info.
Store in cleartext
Store encrypted using a symmetric key
Using the Android Keystore
Store encrypted using asymmetric keys
source: Where is the best place to store a password in your Android app
The Keystore itself is encrypted using the user’s own lockscreen pin/password, hence, when the device screen is locked the Keystore is unavailable. Keep this in mind if you have a background service that could need to access your application secrets.
source: Simple use the Android Keystore to store passwords and other sensitive information
The info at http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html is a fairly pragmatic, but "uses-hidden-android-apis" based approach. It's something to consider when you really can't get around storing credentials/passwords locally on the device.
I've also created a cleaned up gist of that idea at https://gist.github.com/kbsriram/5503519 which might be helpful.
I want to create a user account on first launch in a wizard and store that in a settings. Something like the account creation wizard in an email app. What is the best way to do?
Should I create a layout where I collect these inputs on first launch and store in Preferences?
A settings menu can be provided in the options key, so the Preferences can be edited.
Is that the right approach?
You can save user details in SharedPreference. Only concern should be security of passwords if you are saving it. Your application's shared preference is sandboxed by default, so your data is safe from other apps.. But a determined/inspired hacker with root access can get any data from any app in an android phone.
For password
1) Either you can use a web service, and store the password in server. During every login process, you can send the username/password to server and validate. This is the best approach if your application is using internet. This option has the simple advantage that you are not saving sensitive data on phone itself.
2) Other option is to store password encrypted. You can use this option if your app doesn't use internet one bit, and you are not ready establish a server for authentication process. There is no absolute security in Android, but saving encrypted does boost the security level.