I have a preexisting website which I want my android app to login too. I want the app to remember username and password after a user has logged in so they don't have to keep entering their credentials each time they go on the app. How can I store the password 100% safely?
The app will only allow users to upload images whereas the website stores paypal and card information so it's very important that if someone was to lose their phone and it happens to end up in the wrong hands they wont be able to extract their password. Would the password need to be decrypted on the other end?
First of all, you can't store a password 100% safely.
There is a nice blog here about secure credential storage. http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html
For the password to be encrypted on the other end you would either need to use a single common master key or have some form of key exchange with the server.
Either that or decrypt the password locally and then send it via HTTPS.
Instead of storing login and password store only some kind of auth id, something like in OAuth and ask for password always when accessing PayPal / card and other private informations.
The better way to do this is to use MD5 hash. You can hash the password and then unhash it in your .php file when you receive the request to auth the user.
Plus, there is no problem to store a hash password in database (SQLite, MySQL, etc.)
Related
I'm working on a app for Android that makes use of files encrypted with AES. I want to provide the user with the ability to scan their fingerprint to decrypt instead of providing their password.
From what I've understood, it's possible to store persistent data in Android's keystore. So my initial idea was to store the password for the file in the keystore and then use a successful fingerprint auth to retrieve this password. Problem is, I haven't been able to figure out how to first auth using a fingeprint and then only return the password if the fingerprint auth succeeded. Is this possible?
I imagine local auth is useless in this case considering I need unique data to encrypt/decrypt the file?
Or is there another way to do this?
I'm trying to understand how to implement bio-metric authentication on an app, specifically using a fingerprint.
From what I understood so far the API only provides 3 different information: auth failed, auth success and no fingerprint registered in device.
I am not trying to get any information from the user's bio-metric data, but I cannot find anywhere explained how to relate a user's bio-metric information with his login.
So far I can only think of a way that I could make this work and that would be to require a first time registration before being able to use fingerprint in future logins in which the following takes place:
User enters login data in a form (name and password, for example)
Using the fingerprint success response that information is stored
locally after verifying if the login data is correct on the server
side
Problem with this is that the user's credentials are vulnerable now since it is stored locally and although I could use my own encryption process I fear it would not be more secure because I'd still need to store the encryption algorithm locally with the app in order to encrypt/decrypt that information.
How can I associate the user's bio-metric data / auth success with his login credentials?
I think you are on the right track. All you would need to do, on the initial prompt to enter login credentials, would be to save those credentials in the Android KeyStore (not KeyChain). The KeyStore has encryption options for encrypting the data, so, you don't have to code for that. Then, in the future, if the user's biometrics authenticate, retrieve the KeyStore, decrypt it and go.
You shouldn't store any user's credential locally.
The correct way to implement login by Biometric(fingerprint/face ID) is using Asymmetric Keypair in coordinate with Backend APIs, and user must login by username & password first, then enable login by Biometric option.
For detail implementation, you can refer
https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html
I have been trying to implement a login screen that takes a username and password.
Once the user has logged in once I want him to have the ability to login with the device owner's fingerprint.
I was wondering what would be the correct way of handling this login.
I could encrypt the username and password and save those to shared preferences and once a fingerprint that is authorized is entered I will insert the decrypted username and password (I am looking for a solution like ios keychain).
Should I go with this approach or there is a programmatic way to get the names and passwords.
I have already used a library which verifies if the fingerprint is recognized you can see it here:
https://proandroiddev.com/5-steps-to-implement-biometric-authentication-in-android-dbeb825aeee8
https://github.com/anitaa1990/Biometric-Auth-Sample
There are many way to create an authentication app. Using SharedPreference is also a way to create such apps. But, one limit of SharedPreference is it can only storage data in limited
memory space and data is offline (data is stored in local machine and can be lost if you uninstall app). There are many online library for online authentication, if you are learning or developing a small app then I recommend you to use Firebase Authentication. It can help you create user account, authenticate user by mail, phone number,...and also link to real time database, storage on cloud and many other services (if you need). Please refer following link to get more information about firebase!
https://firebase.google.com/docs/?authuser=0
I've been mostly creating smaller apps and games for Android so far, but am now creating a somewhat big app with lots of users and more sensible data than a highscore.
My normal approach was to just have a table for all users with passwords, authenticate with a simple Login Screen using a HTTP(S) call and that's it.
There's a few things I want to improve for this app though:
Secure Transmission
If I want to encrypt the user's password, where do I need to do it? On the device, before it's even sent? (In case of unsecure networks, like a public WiFi hotspot) Or better on the server, before writing it into the DB? Or should I just use SQL's encryption?
Auto Login
I want users to be able to stay logged in until the log out - how would I best do that? Not just security-wise, but also for the user experience.
My research shows me that using the AccountManager would be best to save the username and password and authenticate automatically when the app is started. Is there anything more to it, any security risks I'm missing here?
Access control
Usually, I would just expect every call made by an app to be valid, since a user can't access anything but the login screen without logging in. But how do I best authenticate a user's request to make sure that it's not an attacker? I can't just send the username/id with every request, so I probably need like a session token that I generate on each login? Or is there a better method?
Is there anything else I've forgot to think about?
I would suggest you to transfer password without encrypting it but by https. Other way would be to implement asymmetric encryption in your app and encrypt password with public key which you will receive from server.
On the server side I would hash password using some hashing algorithm with salt. And store only hash and salt. When users will log in, you can hash incoming passwords the same way and check hashes on equality.
To make auto login, you need to sign all requests from authorized users with a token. Token you will receive from the server after successful login. This token could be stored in Keystore, or special storage which is accessible only for this application.
Signing could be implemented by attaching to request additional parameter with checksum from all request parameters and token.
Additionally I would suggest you to think about unauthorized clone apps, which could pretend to be your app and call your server side API.
I currently have a hardcoded password and username in my program. These credentials are used to access files from a remote server. How can I help prevent someone from going through the source code and figuring out the username and password? (I currently use Proguard for obscuring the code, but I am new to it) Are there alternatives to hard coding the Strings in the application?
I have tried searching around but almost all questions address the problem of storing a user's password and name. I am having a difficult time coming across actually storing the master password for the server the user's credentials are accessed from.
Use Hashing to avoid store credentials in plain text.
Use SharedPreferences to store hashed credentials in local memory.
Read more:
How to securely store credentials (password) in Android application?