My requirement is to store username and password in my application.
I am storing username and password using android accountmanager and I am not able to get any straight answers to following queries:
Do i need to encrypt credentials before storing them in
accountmanager?
Does android account manager uses any encryption machenism by default?
How secure are credentials while stored in account manager against rooting?
Yes
No, you need to use Cipher class to encrypt
If you are root, you can access data easily and get the key for encrypt data. The best is to store the key in some native lib, more difficult to disassemble native lib.
Related
I want to use one secure key to encrypt and decrypt data on device without saving it in SharedPreferences or DataStore. I want to generate that key using in app authorization (passcode and biometrics).
I know generating secure key with biometrics is possible using AndroidKeyStore. I know I can generate another key by using passcode. Is there any cryptographic way to use one of those keys to encrypt/decrypt local data?
I have tried generating keys with biometrics and passcode. But I could not find a way to encrypt and decrypt data with either of those keys. For example: user logs in and sets passcode and fingerprint. App should encrypt data so it could be decrypted using one of those authentication methods.
I am wondering how do other secure Android apps solve this problem. Can someone provide me an example where could I look into that?
I have an android app. I'm using json api to fetch data from database. But api credentials are stored in my app. I don't want it. Because there are some ways to show android source codes.
Are there any way fetch data securely but credentials are not stored in my app?
You can use Android Keystore.The Keystore is not used directly for storing application secrets such as password, however, it provides a secure container, which can be used by apps to store their private keys, in a way that’s pretty difficult for malicious (unauthorised) users and apps to retrieve.
How to use the Android Keystore to store passwords and other sensitive information
Where is the best place to store a password in your Android app
I have Android and iOS apps which need to post to social networks, like Twitter and Facebook, directly using users' accounts.
Is it safe to embed the API Key and Consumer Secret in source code (or put in a pref file) within the Android/iOS app? Wouldn't it be possible that some hacker can find the API Key and Consumer Secret?
Pref is never safe for storing your passwords, it have been seen simply in root devices you can encrypt your pass and then put in pref but still your encrypt key exist in code in my experience your codes are not safe too even you use ProGuard.it can decompile and normal developer(not even hacker) can find keys I suggest you never store passwords locally .
if you have to do this I suggest you
use complex code with multipart password that each part store in different location with encryption
also from api 23+ you can use KeyStore
use ndk and store pass in c form
and finally use Proguard and DexGuard.
In my application, upon user successful authentication using OAuth I need to store the access token returned by the REST API. I was thinking of using the keystore to store this token for further use in the application. But so far I havent seen an implementation which stores already generated keys using android keystore APIs. Is there any example or code snippet which stores already generated tokens.
Also if I use keystore to store the access tokens, can the rooted phone users gain access to these tokens?
Thanks.
The following blog post provides a very good explanation on how to go about doing this.
http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html
Also it should not matter if a rooted phone user can gain access to these tokens if they are encrypted. Fortunately, Android's system keystore daemon encrypts keys using AES.
In my Android application I want to encrypt a db file. How can I do that?
The DB, normally, is stored in your application directory which is only accessible to the user-id assigned to your application.
I don't think there's any way to explicitly encrypt the DB using the android framework but an easier approach would be to encrypt the information you store in the DB. That works well if your user needs to enter some password to access the application and you can use this password to encrypt your information. But if your application doesn't require any password login then you will have to keep the encryption key in code and the security of your data will be compromised if some decompiles your application and finds the key.
Sun has an article that explains how to use AES encryption here. As far as I can tell all of the necessary libraries are available from Android.