I have an app which allows to remotely lock other phones named "Parental Lock".
In the app, users can put a password for a time to their "children"s phone.
The problem is when the time specified by the "parent" ends, I want to remove the password given by the "parent" and restore the original one if there was.
For now, when the time ends, I am removing the password via device manager from the phone but to restore the old password put by the user itself long before, I must get the password info.
The get the password, the password itself had to be encrypted in first place (with yet another password, brr).
And the rule #1 says: never ever encrypt passwords, use hashing algorithms with a salt to store them.
Related
Is there a way to lock every app i give to the end user with a unique password so that only i can generate a valid password to unlock that app and a copy of that app should not unlock with same password aswell.
I don't wanna setup online server for that. I need my app to be unlocked offline.
You can generate password on a first Application start using current time of system and Android Id, for example. Then you should show to user this time (that can be shown to them in some non-readable format) and his Android id. Then user sends you (or reads by phone, etc), this two lines and you combine them in a password using the same algorithm as phone did.
If the password can be long - create md5 hash of string, consisting of needed data. If it should be short - decrease the length of md5 or make some algorithm that will take only needed length from the whole password.
I'm creating an android app which requires a login process. My issue is with implementing a "remember me" function in the app. There are several questions surrounding this issue already on the internet, but I was wondering if there is an easier way than creating public keys for the app or using OAuth (disclaimer: novice developer).
I read the existing questions like How do I implement a 'Remember me' function in an Android Activity? and Security: How should I store ("Remember") a user's username and password for future use? but they suggest two methods of password storage: plaintext in SharedPreferences, or hashed in SharedPreferences. However, the answers go on to say that these can be compromised if someone has access to the phone.
As a preliminary question, I would ask whether it is necessary to maintain security once someone has root access to the device/the hashed password, considering that cracking the password may give the intruder access to other accounts the user has made. If so, would it be beneficial to implement a system which performs this function but without ever storing the user's password (plaintext or hashed) on the phone.
I was thinking of a method which works using three steps:
When a user successfully logs in AND has checked the "remember me" checkbox, store their username in a SharedPreferences file.
Store a boolean value in the database indicating whether the user has checked the "remember me" box.
When the app starts in future, it automatically checks the SharedPreferences file for a username. If a username is found, and the database value for that username is true, the user is logged into the app under that user name.
This way, the user's password is never stored on the app (either in cleartext or in hashed form). Would this be a secure way of implementing the "remember me" function, or should I use another method?
Apologies if this question is not specific enough/too open-ended.
As you do not store password in phone I think it's a secured way of implementing a "Remember Me" function. But, In your 3rd step you haven't mentioned how you will get the username to compare with the SharedPreferences. If users have to provide the username again it won't be a good method.
Think this is kind of a hard question to phrase correctly. Once the user downloads the app, i want to create a password for them to have to input a password on first time startup. When this password in input correctly, the user never has to input it again and has full access to the app from then on. Can anyone point me in the right direction of a tutorial or guide me in how this can be done? Thanks in advance!
For the easiest implementation, you can use SharedPreference. Store some value named "isFirstTime" or something with a value true. On your launcher activity, check whether this value is false or true. When user will first launch the app, this will be false. Display your password or call any service from which you will send password to user. Store that password in SharedPreference, too. Once the user enters the correct password compare it with the stored value and if the password matches, change the value of "isFirstTime" to false. Now next time the activity is started, according to your condition the user will bypass the authentication and get started with the app.
In Android Device Administration, I know resetPassword(String password, int flags) can reset the password. But, my wish is that I will hold old password before reseting it. In this way, I can, if user wants, rescue the password. Are there a way to hold the password ? Moreover, how can I get password from system ?
NOTE: My application is system app.
No, you cannot get the password. It is indeed hashed, and the device technically doesn't 'know' it. Additionally, since pretty much any app can become a system administrator (if the user confirms), any app would be able to retrieve the password, which is a bad idea.
I want to lock my application with a password which the user has set in the applications settings.
Each time the main acitivity of my app is going to be shown, a password dialog should be shown instead. I know how to do that, but i wonder... :
How do I store the password the user has set? I can't store it in SharedPreferences because you can delete SharedPreferences in your phone's settings. I thought about a textfile which holds the password, but this file can be deleted, cant it?
Any ideas?
You cannot protect against the password being deleted one way or another, so you need to step back and consider why you have a password in the first place. Most likely you're using the password to protect data the app has access to, rather than the actual app itself (since protecting the app from running is not going to be effective against an attacker that has physical access to the device.
If your password is to protect data, you only need to ensure that an attacker cannot access the data due to deleting a password store. One way to do this is to use the password as an encryption key (or part of a key) that obscures the data -- thus there's not even a password to delete.
One option is to put the password in the same file as where you have the other information (I reckon you want to protect the settings/data of the user). Just do not start the app when that file is missing or corrupted. What you have accomplished then, is that the information is rendered unusable if someone tampers with the data. Sign / encrypt your data file(s).
Another solution could be to store the password (hash!) on a webserver.