I currently have a hardcoded password and username in my program. These credentials are used to access files from a remote server. How can I help prevent someone from going through the source code and figuring out the username and password? (I currently use Proguard for obscuring the code, but I am new to it) Are there alternatives to hard coding the Strings in the application?
I have tried searching around but almost all questions address the problem of storing a user's password and name. I am having a difficult time coming across actually storing the master password for the server the user's credentials are accessed from.
Use Hashing to avoid store credentials in plain text.
Use SharedPreferences to store hashed credentials in local memory.
Read more:
How to securely store credentials (password) in Android application?
Related
I have been trying to implement a login screen that takes a username and password.
Once the user has logged in once I want him to have the ability to login with the device owner's fingerprint.
I was wondering what would be the correct way of handling this login.
I could encrypt the username and password and save those to shared preferences and once a fingerprint that is authorized is entered I will insert the decrypted username and password (I am looking for a solution like ios keychain).
Should I go with this approach or there is a programmatic way to get the names and passwords.
I have already used a library which verifies if the fingerprint is recognized you can see it here:
https://proandroiddev.com/5-steps-to-implement-biometric-authentication-in-android-dbeb825aeee8
https://github.com/anitaa1990/Biometric-Auth-Sample
There are many way to create an authentication app. Using SharedPreference is also a way to create such apps. But, one limit of SharedPreference is it can only storage data in limited
memory space and data is offline (data is stored in local machine and can be lost if you uninstall app). There are many online library for online authentication, if you are learning or developing a small app then I recommend you to use Firebase Authentication. It can help you create user account, authenticate user by mail, phone number,...and also link to real time database, storage on cloud and many other services (if you need). Please refer following link to get more information about firebase!
https://firebase.google.com/docs/?authuser=0
I am making a trivia android application, and I have the questions and answers database stored on my server. In my app, the user types in his/her username and password, and this is sent to a servlet, which then authenticates it with the Database. If the authentication was successful, the user information for the particular user will be downloaded and stored in SharedPreferences. In the user information, there is a user key that is used to access the server again to update user information, and get other values from the database such as the questions and answers. However, this is not very secure as any attacker can create an account, login, and find the user key and use it to get the trivia answers. Should I use a keystore or a token system in my server to authenticate a request for the database. How should I do this? Thanks for the help!
You could scramble the key before putting it in shared pref, and then unscramble it before sending it to your server each time... not to say someone couldn't reverse engineer your app to look at your algorithm and figure out the real key. But then again, how hard are people really going to try to cheat at trivia?
The most secure way would be not to send the answers. Send the user's answer to the server, and have the server check the answer and return right or wrong.
Use PGP encryption. Encrypt user/pw using public key in android then decrypt it using private key in the server. mcrypt or openssl can do that for you.
In developing an Android application that will store certain user date into a sqlite database, how should I handle a user password securely? How can I encrypt the password so that it does not appear "in the clear" in the database, but so I can decrypt it in the application when needed.
Storing user credentials in a database presents many security challenges. You may want to consider an alternative (e.g. using OAuth 2.0 Authentication). We don't need yet another Android app with security vulnerabilities. Here is a ref for OAuth 2.0 Authentication from Google.
While one alternative that many folks do use is to "hash" the username and password using an algorithm like SHA-1 (MD5 has some vulnerabilities, though it is also used often)
The best approach would be to store SHA-2 (or some other type of hash) of the password, and then compare those hashes instead of the actual decrypted passwords.
Storing passwords is a bad practice and is not secure even if they are encrypted. Remember, everything can be broken. The best you could do is to make things more difficult for the hacker.
I have a preexisting website which I want my android app to login too. I want the app to remember username and password after a user has logged in so they don't have to keep entering their credentials each time they go on the app. How can I store the password 100% safely?
The app will only allow users to upload images whereas the website stores paypal and card information so it's very important that if someone was to lose their phone and it happens to end up in the wrong hands they wont be able to extract their password. Would the password need to be decrypted on the other end?
First of all, you can't store a password 100% safely.
There is a nice blog here about secure credential storage. http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html
For the password to be encrypted on the other end you would either need to use a single common master key or have some form of key exchange with the server.
Either that or decrypt the password locally and then send it via HTTPS.
Instead of storing login and password store only some kind of auth id, something like in OAuth and ask for password always when accessing PayPal / card and other private informations.
The better way to do this is to use MD5 hash. You can hash the password and then unhash it in your .php file when you receive the request to auth the user.
Plus, there is no problem to store a hash password in database (SQLite, MySQL, etc.)
I'm developing an app which will connect to server webservice and exchange data. I want to include auto authentication mechanism in application. I'm not really good at security stuff, so I would like to ask you, how to do it properly. I think, that storing users password in sharedpreferences or database and comparing it with password stored in server is not a good idea, even in encrypted form. I guess that there is some better way to do it, right?
Normally the service will return a key of some sort (typically in a cookie), and you pass that key with each subsequent request. The server is responsible for keeping track of who has what key. And of course the key is very large so its unguessable.
On the server side, never store the password. You store a hash of the password, and when an incoming password comes from a login request, you hash it and compare the hashes. Better yet you should salt your hashes as well. If you aren't familiar with security I'd really suggest you use an existing library rather than writing your own.