How can I protect username and password saved in preferences?
Some sample code would be nice.
If you store passwords in plain text in an SQLite database or shared preferences, someone with root access might see them. Encrypting credentials prior to saving them locally would be safer, but still not perfect if someone reverse-engineers your app and gets the encryption key.
Have a look at the AccountManager. Also, this post might help you.
If you find that too complicated for your purpose, at least encrypt passwords before storing them into SharedPreferences! You can find more information, explanation and code here, too.
SharedPreferences sharedPreferences = MyApplication.getContext()
.getSharedPreferences(ApplicationConstants.SHARED_PREF_NAME,
Activity.MODE_PRIVATE);
Shared prefernces are stored under Android/data/data/yourApp on the internal file system of android and it's not accessible to other apps, so you can privately save data on shared preference
ACtually shared prefrence data store in your application memory and no other app can access that so beware of this
Related
I know that SharedPreferences is an efficient way to store data but is the database used by android to store SharedPreferences read only even if you have root access?
Thanks in advance!
There is nothing you can do if a user has SUDO permission on the device. If a device is rooted, they can dig into your SharedPreferences all they want.
If you are storing passwords or other sensitive data in your app's local data, consider doing some sort of obfuscation like SHA or MD5 hashing before adding to prefs.
As I understand it, it's possible to retrieve data stored in SharedPreferences. Therefore it isn't safe. Could anybody advice me on a way to completely secure the data? I know it's possible to encrypt and store the data, but I'm wondering, is there any other way?
Data stored in SharedPreferences, if created with Context.MODE_PRIVATE, is only accessible to your own application.
Though, if the users phone is rooted, then the data can be read by root applications (even if created with Context.MODE_PRIVATE).
There is no way to avoid that, ever. But you can take precautions such as encrypting the data in SharedPreferences.
A good example of this is the SecurePreferences library: https://github.com/scottyab/secure-preferences
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them.
So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. You can google it out.
Try this https://prashantsolanki3.github.io/Secure-Pref-Manager/ to easy work with shared preferences, it also encrypts the key and value before saving it in the preferences.
Sample code to save a value:
SecurePrefManager.with(this)
.set("user_name")
.value("LoremIpsum")
.go();
I'm going to use the SharedPreferences Keys to store my app informations so when I open the app again after onDestroy the information will still the same.
I'm just wondering is it safe to use SharePreferences ? I mean is there a way to hack or get the KEYS from the SharePreferences ?
and does all Android Platforms have the SharePreferences ?
thanks .
sharedPreferences arent safe..
sharedPreferences should just store config/setting-data not encrypted..
if u want to store critical data - you have to write it encrypted in a dataBase/sharedPrefs
btw .. http://android-developers.blogspot.de/2013/02/using-cryptography-to-store-credentials.html
You shouldn't store any unencrypted valuable information(passwords, private user information etc.) in SharedPreferences. SharedPreferences are just plain XML files in app directory on internal storage.
If you need to store smth private - you definitely need to encrypt it first.
I am using SharedPreferences to store my keys and my crypted messages.If i store them crypted in it and then decrypt in my app it takes some time, but i am confused about if it will secure to store them decrpyted in SharedPreferences.
Can anybody reach my SharedPreferences MODE_PRIVATE with special app or something like that ?
On a rooted phone, yes, it can access the shared preferences for your app. Also, on any phone the user can delete all the data that it's stored in shared preferences by clearing the cache in the application manager.
A safe way to store data would be to encrypted it with AES and save it in a text file in the root folder of your app.
I'm currently designing an application which has initial login page. I provide remember me functionality and I stored username and password values in shared preferences. I illustrated my sample code below.
SharedPreferences preferences = getApplicationContext().getSharedPreferences("MyAppSettings",Context.MODE_PRIVATE);
SharedPreferences.Editor edit = preferences.edit();
edit.putString("username",username);
edit.putString("password",password);
edit.commit();
Info: Suppose username and password are string variables which are filled by user
Whenever user sets checkbox remember me, I store these variables in shared preferences.
I wonder that is this way safe and reliable for performing this kind of operation?
I mean that can these variables be reachable from outside the application?
Also, do I have to encrypt password of the user and store in shared preferences?
Thanks in advance,
Although Raghav Sood did answer your question correctly, your approach to the app design is fundamentally wrong in my opinion.
Modern day practices dictate that you should not store username and password at all in your app. Instead the login process should generate an oauth token that your app can then encrypt and remember for future access the web-server.
To have a general reading about oauth tokens you can check the wikipedia article on it http://en.wikipedia.org/wiki/OAuth and just as example, twitter uses that approach for apps connected to it https://dev.twitter.com/docs/auth/oauth/faq
I mean that can these variables be reachable from outside the application?
Anyone with a rooted device can view your SharedPreferences. It is simply an XML file stored on the device.
Also, do I have to encrypt password of the user and store in shared preferences?
It would be safer to do so, yes. Also encrypt the username while you're about it.
Make the user submit the username & password
Once the backend validates the user, make the server return a JWT
Store this JWT in shared preferences securely using Hawk
Use this JWT to authenticate user in the future