If building an application where for sending a series of emails the app must temporarily store the user's password, what is the most secure practice of doing this, if any? If not, what would you recommend?
As long as you are not sending the password over the internet, it should not really matter much. If you do want to be more secure, you could store the password in a string and then after it is no longer needed, overwrite it with a string of identical length.
You could use the shared preferences from the device to store and retrieve the password as a string. This string can be deleted from the preferences once you are finished with it.
Related
I want that in my app after the user logged in, or signed in, the password, and other strings that i receive from my server, are stored in the device. So i'm thinking to encrypt this data whit the Keys that i receive from KeyStore. After i did that, where should i save my encrypted data?
I have also read that save password in local device is not the best pratice. Should i store it directly on the server? Here is an article that i read HERE
Everything goes over the server.When you login on the device ,store the users id(hash it on the server and return the hashed id to the device).Store that hashed id of your user in shared preferences or in a local database.And when you want to retrieve some data(for example user data) send the hashed id to the server ,unshash it on the server than make the query.
Why do you want to keep the user data in the smartphone? Have you try Firebase?
and you're right! save password in the phone isn't the good way.
Try Firebase ;)
I have been creating an app in Android recently, which has a login page. It's fully offline, so online or network-based solutions would not help me. I think there are two approach for me to accomplish this task.
Saving password hash in the preferences XML file
Saving password hash in the SQLite database
However, in my opinion both of these ways could be insecure because an user could load my app's data directory in a DDMS and then take out my preferences or database file and subsequently try to manipulate it.
Now, my question is:
Is there any fully secure approach (preferably not using files) or way to encrypt preference or database file?
Thanks in advance
SOLUTION (idea from Marcin Orlowski)
A relatively secure solution would be hashing password along with another string, which is only known to my app (with assumption of no resereve engineering), with this conditions, the attack could not replace my hashed string with his own hashed string.
No, there's no bullet proof solution. What's in the app can be extracted with more or less efforts or your app can be hacked/etc. If you need to store password, do not store plain as plain text. Do sha1 or md5 hash of it first and store the hash, so even if one would get hands on your prefs/DB then he still does not know the password (but he can try to brute force it using i.e. rainbow tables etc). Depending on sensivity of data you protect with password, using hash may be sufficient (if you do not encrypt data itself, then it makes no sense to go further)
Save the password hash in the private ContentProvider. SharedPreferences XML and Database file can only be get from DDMS if user uses rooted phone.
I'm developing an app where the user can use it in remote locations. I've created a startup dialog asking for password. I saved the password in SharedPreferences.
My question is, is it a good idea to do that? Or is there a better way for storing passwords for offline apps?
Because when I try to clear the data of my app in settings -> apps, my saved password in SharedPreferencesis also being deleted.
you can hash your password and store it in a file
search for hash function like MD5 or ..
Basically clear data of your app is cleaning what you store in SharedPreferences so that is normal. Store data in with SharedPreferences is usefull but someone with a rooted devices can access to these datas (basically an xml file store in "/data/data/app_packages").
Then you seriously have to consider to encrypt your password before to store it with SharedPreferences.
My question is, is it a good idea to do that?
Generally, it is not a good idea to store passwords in plaintext,
even if it is an offline application and gets cleared sometimes anyway.
Like you mentioned before, all that Information and even the database can be extracted from your Applicatoin Storage when the device is rooted.
Even If the content of that application is trivial, someone can do what mentioned above, just to see what password you use, so he/she can try to hack other accounts of yours..
This is especially the case if more people are using this application.
If you are aware of, and OK with that, you surely can use SP or DB.
If you want to do something in the right direction, you can encrypt passwords,
or hash them (though I recommend not to use MD5, but something like SHA2,Whirlpool,RipeMD2 or even PBKDF2).
Using an encrypted Database like SQLCipher is also nice, since you have to set it up only once, and everything that is added in to your application
afterwards is automatically stored encrypted.
If your only concern is that you dont want to the passwords be deleted, well, if you don't have Server communication, you have to live with that risk :)
I'm currently designing an application which has initial login page. I provide remember me functionality and I stored username and password values in shared preferences. I illustrated my sample code below.
SharedPreferences preferences = getApplicationContext().getSharedPreferences("MyAppSettings",Context.MODE_PRIVATE);
SharedPreferences.Editor edit = preferences.edit();
edit.putString("username",username);
edit.putString("password",password);
edit.commit();
Info: Suppose username and password are string variables which are filled by user
Whenever user sets checkbox remember me, I store these variables in shared preferences.
I wonder that is this way safe and reliable for performing this kind of operation?
I mean that can these variables be reachable from outside the application?
Also, do I have to encrypt password of the user and store in shared preferences?
Thanks in advance,
Although Raghav Sood did answer your question correctly, your approach to the app design is fundamentally wrong in my opinion.
Modern day practices dictate that you should not store username and password at all in your app. Instead the login process should generate an oauth token that your app can then encrypt and remember for future access the web-server.
To have a general reading about oauth tokens you can check the wikipedia article on it http://en.wikipedia.org/wiki/OAuth and just as example, twitter uses that approach for apps connected to it https://dev.twitter.com/docs/auth/oauth/faq
I mean that can these variables be reachable from outside the application?
Anyone with a rooted device can view your SharedPreferences. It is simply an XML file stored on the device.
Also, do I have to encrypt password of the user and store in shared preferences?
It would be safer to do so, yes. Also encrypt the username while you're about it.
Make the user submit the username & password
Once the backend validates the user, make the server return a JWT
Store this JWT in shared preferences securely using Hawk
Use this JWT to authenticate user in the future
I'm writing a web service client and have the three obvious settings: url, username and password. For this the key value pairs in SharedPreferences would be enough. But I hit a roadblock when I wanted to subscribe to more than one server instance. What I need is the three settings stored once for each server instance added by the user. Whats the best approach here? Create a custom settings activity and save it to a file?
You can store a Set<String> in the SharedPreferences. You can use this to store the keys to the other properties.
One way of doing this is to store a set with keys that define each of your servers (for example, "foo.com" and "bar.com"). Then for each server store the properties you need using a known suffix. Lets say you need to the store the username and password for each one, then you would put "foo.com-username" and "foo.com-password" as the keys for the username and password for the "foo.com" server, same with "bar.com".