I am trying to create an android activity "Save_Password" which stores the password in a database "PasswordDB".There is another activity named "Enter_Password" in which I want to allow the user to only enter the password which is already stored in SQLite database.
When I run this for the first time "Save_Password" should open. When I again open it "Enter_Password" should open.
Is there some query which I can execute to check if table exist or not.
Or should I use Shared preferences?
You don't need a database for just storing a "password". You can use SharedPreferences for that purpose.
Its very simple to use and a much light-weight operation that database. Doesn't slow down your app even by a bit.
If you are storing passwords locally in SharedPreferences, then they can be easily read, so its better to encrypt them and store and later decrypt them.
You can do this in a very simple way by using this small library, SecurePreferences
It will handle all the encryption and decryption automatically for you.
You just need to save password right? Then use SharedPreferences.
But saving password locally is not a good design choice.At least encrypt the data before you store, and decrypt it whenever you want to read it.
Related
I am building an app which generates a random password and you can keep it along with your other details such as username, website url, name etc.
Basically a password management thing.
Things to be stored:
When I am clicking on the save button, I wanted it to be saved somewhere locally. So that, I could retrieve them and display it in another activity.
Can I share those things in SharedPreferences for all those password entries securely? [By password entry, I meant the entire class ]
I have referred to something like ComplexPreferences [ http://blog.nkdroidsolutions.com/class-object-in-sharedpreferences/ ]
I've tried them because I had created a class containing all these data [title, url, username, password, notes]. But I cannot retrieve them properly using a recyclerview. I'm ending up with some error.
If it cannot be done with SharedPreferences, how can I do it with SQLite Database?
But how can I save them securely? I don't know much about security in Android.
Please guide.
The shared preferences and sqlite db both are secure for an extend only.
It can be easily accessanle and can be modified even there are several apps available to edit the shared preferences and sqlite db in playstore . **
So i prefer not to store it locally
.you can use some kind of **algorithms and mechanisms to encrypt and decrypt the data that you are going to store locally.
if the device is rooted then its a SERIOUS ISSUE
Let's say, that you have a generated password along with other details like user name. Storing this kind of data is a perfect fit for SQLite. But, storing in plain text is not safe. Either the whole database or individual records should be encrypted. The former can be done using one of the open source database encryption libraries. For the later you have a couple of options:
Ask the user for a password each time he opens the app. Generate the actual encryption key using password-based encryption and the same salt value.
You can use the Android Keystore Provider to generate an encryption key and save it for you in a safe location on the device. Later, you retrieve the entry from the keystore and use it to encrypt/decrypt your database records using javax.crypto.Cipher.
Both options ensure that the encryption key is not be present in the app.
I still don't understand, why you need to save it locally? If only your application will be able to unlock data. In this case, only your application will have keys to working with this files.
For this example, you can easily work with SharedPreference with Private Mode. Furthermore, it's enough for most tasks. We using this option to save User's token, and it's Ok, for system. (If we talk about safety of this way, so you will have some risk for custom ROM, for Users, which manually flashed on device.)
If you need more complicated things, you can use sample, for using Android Keystore, with generating Key Pair, and saving data. For example you can check this source.
UPDATE!
So question was updated a lot, from first version. I will update information what you a looking for. Saving huge encrypted information locally.
Maybe easer way to do it, it's just use local encryption of data, as I described above, using Android KeyStore, KeyChain (links above). You will create our own KeyPair and will use for encryption and descryption some data. But this data, you will save in your DB in encrypted view.
Another more complex solution, will be creation of mechansim for encyption/decryption DB. As you described, you will save all information in DB, and after, just encrypt/decrypt you DB files. Fortunatly, we already have such library SQLCipher, just take a look. Fore example, this is pretty simple tutorial
I have been creating an app in Android recently, which has a login page. It's fully offline, so online or network-based solutions would not help me. I think there are two approach for me to accomplish this task.
Saving password hash in the preferences XML file
Saving password hash in the SQLite database
However, in my opinion both of these ways could be insecure because an user could load my app's data directory in a DDMS and then take out my preferences or database file and subsequently try to manipulate it.
Now, my question is:
Is there any fully secure approach (preferably not using files) or way to encrypt preference or database file?
Thanks in advance
SOLUTION (idea from Marcin Orlowski)
A relatively secure solution would be hashing password along with another string, which is only known to my app (with assumption of no resereve engineering), with this conditions, the attack could not replace my hashed string with his own hashed string.
No, there's no bullet proof solution. What's in the app can be extracted with more or less efforts or your app can be hacked/etc. If you need to store password, do not store plain as plain text. Do sha1 or md5 hash of it first and store the hash, so even if one would get hands on your prefs/DB then he still does not know the password (but he can try to brute force it using i.e. rainbow tables etc). Depending on sensivity of data you protect with password, using hash may be sufficient (if you do not encrypt data itself, then it makes no sense to go further)
Save the password hash in the private ContentProvider. SharedPreferences XML and Database file can only be get from DDMS if user uses rooted phone.
I'm building an Android game and I'm not sure where I should save something like "last completed level" or "remaining lives".
I'm pretty sure that I should not save this information in the database, because it's really simple to access an app's database with root access and some SQLite browser.
And I don't want to send it to a webserver, because the game should be playable offline.
What is the most secure place where I can store this information to prevent the player from cheating?
Thanks in advance
You may wanna try one of the three options described here :
http://developer.android.com/training/articles/security-tips.html
Since android is base on UID, it is almost impossible to prevent root user to retrieve data, but you can still encrypt it .
I would go for the internal storage with encryption, and skip the content provider option due to the few data you will store
You could use a non secure storage (like SharedPreferences for example) but use a digital signature to make sure that the value wasn't tampered with.
So you can use Cipher to save your game information file
check this https://stackoverflow.com/a/10782267/2773264
or you can save your file as Object by using ObjectOutputStream
(don't save String Object, save a custom class to prevent from cheating).
I'm developing an app where the user can use it in remote locations. I've created a startup dialog asking for password. I saved the password in SharedPreferences.
My question is, is it a good idea to do that? Or is there a better way for storing passwords for offline apps?
Because when I try to clear the data of my app in settings -> apps, my saved password in SharedPreferencesis also being deleted.
you can hash your password and store it in a file
search for hash function like MD5 or ..
Basically clear data of your app is cleaning what you store in SharedPreferences so that is normal. Store data in with SharedPreferences is usefull but someone with a rooted devices can access to these datas (basically an xml file store in "/data/data/app_packages").
Then you seriously have to consider to encrypt your password before to store it with SharedPreferences.
My question is, is it a good idea to do that?
Generally, it is not a good idea to store passwords in plaintext,
even if it is an offline application and gets cleared sometimes anyway.
Like you mentioned before, all that Information and even the database can be extracted from your Applicatoin Storage when the device is rooted.
Even If the content of that application is trivial, someone can do what mentioned above, just to see what password you use, so he/she can try to hack other accounts of yours..
This is especially the case if more people are using this application.
If you are aware of, and OK with that, you surely can use SP or DB.
If you want to do something in the right direction, you can encrypt passwords,
or hash them (though I recommend not to use MD5, but something like SHA2,Whirlpool,RipeMD2 or even PBKDF2).
Using an encrypted Database like SQLCipher is also nice, since you have to set it up only once, and everything that is added in to your application
afterwards is automatically stored encrypted.
If your only concern is that you dont want to the passwords be deleted, well, if you don't have Server communication, you have to live with that risk :)
I know this topic has been discussed before on Stack Overflow. But there are still some things that are not clear when I read previous posts about it. So here they are:
I know that we use shared preference for small datasets and sqlite for large data manipulation, so if we just want to save a username and password should we use shared preferences?
Won't shared preferences be lost when user uninstalls the app? For example I download an app called abc and save my username and password. Then I uninstall this app from one phone and try to access it from other phone using the same username and password. Will this be saved using shared preferences or the data be lost?
What are the main reason we use one over the other beside large and small datasets?
You can think of the difference between shared preferences and an SQLite database in terms of data size but that isn't entirely accurate. A better way to think of it is in terms of the structure of the data you want to store.
Shared preferences can only store key-value pairings whilst an SQLite database is much more flexible. So shared preferences are particularly useful for storing user preferences, e.g. should the app display notifications etc. Whilst an SQLite database is useful for just about anything.
Both data sources are local but something you should be aware of is the ability to backup your application data to cloud storage that is linked to the user's Google account. This makes it much easier for your users to change devices and for their applications to easily transfer to the new device. For more info take a look here.
In the situation you described about you will lose the user name and password in both situations. The data is stored on the phone, when you uninstall the application, the data that some with it will also be lost. The user will have to re-enter this information.
You can save the user name and pass in either the shared Preferences or a DB, that is personal preference. Just make sure you lock either down, i.e. don't share the DB or Shared Preferences that you keep this information in.
As for the difference... shared Preferences should hold well... shared Preferences... here is an example:
If I create an option to change the background color, I will store all available options in a DB that can be loaded into a adapter view for the user to choose from. But I will store the color that they have selected in the Shared Preferences. This way when the application load I can get the Shared Preference value of the background color that should be used.
SharedPreferences is used for just that, storing user preferences shared application-wide. You can use it, for example, to store a user's username, or perhaps some options he or she has configured in your app in which you want to remember.
SQLite is a relational database. It's used to store your application's data, not preferences or configuration information.
Both are stored locally on the device.
1.SharedPreferences stores only Boolean, int, float, long, String five kinds of simple data types, such as can not be conditional query. So, whether SharedPreferences data storage operation is how simple it can only be a supplement of storage, but can not completely replace other data such as the SQLite database is stored.
2.SharedPreferences based on the XML file to store key-value key used to store configuration information(mainly user preference for your application).
3.Sharedprefrece just like cookies in web which store some basic information at client side.
both store their data locally, so uninstalling the app will delete both. other than that, SharedPreferences is easier to program, and you're right about the data amounts.
In general, shared preferences should be used if you want to allow your user to directly manipulate certain data fields. Shared preferences are basically user preferences; if you would like the user to reconfigure the app to behave in different ways, you should expose that functionality as a shared preference. On the other hand, the SQLite database should be used if you want to limit the visibility of the data to just the application, if you want a stronger guarantee that the data be persistent, and if you want the application to behave independently of what is stored in the database. Of course, you can use both in one application.
Shared preferences and the database are part of local data that the application stores. If you uninstall the application, both of the data stores will be removed.