I'm developing an android app in which user is authenticated using XAuth token.I don't want to store this token in SharedPreference or SQLite.because it stores data as a plain text.How to store token in android device.
Use secure SharedPreferences. It's not bullet proof, but vastly increases the security.
Find an explanation here: https://github.com/scottyab/secure-preferences
Related
I have an android app. I'm using json api to fetch data from database. But api credentials are stored in my app. I don't want it. Because there are some ways to show android source codes.
Are there any way fetch data securely but credentials are not stored in my app?
You can use Android Keystore.The Keystore is not used directly for storing application secrets such as password, however, it provides a secure container, which can be used by apps to store their private keys, in a way that’s pretty difficult for malicious (unauthorised) users and apps to retrieve.
How to use the Android Keystore to store passwords and other sensitive information
Where is the best place to store a password in your Android app
I have been trying to implement a login screen that takes a username and password.
Once the user has logged in once I want him to have the ability to login with the device owner's fingerprint.
I was wondering what would be the correct way of handling this login.
I could encrypt the username and password and save those to shared preferences and once a fingerprint that is authorized is entered I will insert the decrypted username and password (I am looking for a solution like ios keychain).
Should I go with this approach or there is a programmatic way to get the names and passwords.
I have already used a library which verifies if the fingerprint is recognized you can see it here:
https://proandroiddev.com/5-steps-to-implement-biometric-authentication-in-android-dbeb825aeee8
https://github.com/anitaa1990/Biometric-Auth-Sample
There are many way to create an authentication app. Using SharedPreference is also a way to create such apps. But, one limit of SharedPreference is it can only storage data in limited
memory space and data is offline (data is stored in local machine and can be lost if you uninstall app). There are many online library for online authentication, if you are learning or developing a small app then I recommend you to use Firebase Authentication. It can help you create user account, authenticate user by mail, phone number,...and also link to real time database, storage on cloud and many other services (if you need). Please refer following link to get more information about firebase!
https://firebase.google.com/docs/?authuser=0
Apparently you can't use cookies to store your Sessions or JWTs in iOS's UIWebView / Android's WebView. After looking it up online, it seems like the accepted solution is to store it in LocalStorage. This obviously has serious XSS implications, as secure and sensitive information is not supposed to be stored in LocalStorage.
Has someone figured out a secure way to implement a login system in a hybrid app that stores either the Session identifier or JSON Web Token? I'm surprised that there are no good resources on this.
I use a token that is returned after the user logs in. It is generated on the server sided and stored in the database. Then it is also stored in local storage, and expires after a set amount of time. I then include that as a header with all of the future API calls.
I am trying to understanding how the authentication of fb happens on mobile devices(ios/android)?
only for the first time when i installed the fb app, i entered the username/pwd. Thats it. from next time onwards, it will auto authenticate itself.
1) Does the fb mobile app stores the username/pwd on the device in any file?
2) will it use oauth or similar token mechanism? if so, where does the token stored on the device.
I guess, my question is, in which memory/path/filename it is stored, so that it is secured and cannot be accessed by other apps/root users.
Thanks much
That's a good question.
It's dangerous to store a user's password in a standard local directory on a device, for the obvious reason that if the phone is compromised a hacker may have access to a password that is likely shared between accounts (do you have a different password for every service you use?).
However, storing a username to the device's default storage is not-so-problematic, and that is generally the method of choice. For iOS this would be NSUserDefaults.
Now, in the case of passwords and tokens (which are certainly necessary and FB would not cut corners on having token-based auth), both being secure contents that ought to be protected, they are generally stored in some sort of encrypted keychain. In the case of iOS, 256-bit encryption by virtue of Keychain Services.
Therefore, when you build an application with auto-login you retrieve the password and token from the keychain on load. However, if the device were to be lost and end up in the wrong hands all of this data would be encrypted and inaccessible.
Of course, let's not pretend this method is fool-proof: http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/.
EDIT: Although my background is iOS, I am aware that Android uses Keystore as their alternative.
https://developer.android.com/training/articles/keystore.html
we are developing an android library, that will communicate with our backend. This library will be distributed to our clients, allowing their applications to send data to our servers.
Each library should communicate in a secure way, with client credentials (token and so on).
Where would be the best place to store that token? Maybe in manifest? Plain text file in a single folder?
I want to be as much transparent I can. Client should download my library, download credentials file, and all should start running smoothly.
Any tip?
Thank you so much
From the official official documentation
Handling Credentials
In general, we recommend minimizing the frequency of asking for user
credentials—to make phishing attacks more conspicuous, and less likely
to be successful. Instead use an authorization token and refresh it.
Where possible, username and password should not be stored on the
device. Instead, perform initial authentication using the username and
password supplied by the user, and then use a short-lived,
service-specific authorization token.
Services that will be accessible to multiple applications should be
accessed using AccountManager. If possible, use the AccountManager
class to invoke a cloud-based service and do not store passwords on
the device.
After using AccountManager to retrieve an Account, CREATOR before
passing in any credentials, so that you do not inadvertently pass
credentials to the wrong application.
If credentials are to be used only by applications that you create,
then you can verify the application which accesses the AccountManager
using checkSignature(). Alternatively, if only one application will
use the credential, you might use a KeyStore for storage.
So using AccountManager seems to be the best option for storing credentials.
You can also use the SharedPreference but it's risky cause on rooted phones it is possible to access the preferences file of an app.