i would like to write an android application which requires the user to have the screen-pin activated and use the entered pin as a key to unlock the app. (this key is used for low-security encryption)
is there any way to get at least a hash of the entered pin? how can i proof/ensure that the screen-pin is activated and this will stay that way? is it possible to get a notification when the pin is entered and therefore the unlock-key for my app has changed?
Related
I have a usual screen with "email" and "password" EditText fields. I have marked my fields with autofillHints, so that Android AutofillService could propose user already saved passwords. It's working. But looks like it only propose only that passwords which where previously entered in browser or somewhere else and where saved to my Google's accound via Google Password Manager. But those successful pairs of email and password, which where entered via native app Fragment -- it is not saving them after the login procedure. But I want to save those users credentials after successful Login/Register flow to be able them to be used via AutofillService to propose user to login with them.
So I assume there should be some sort of API which I can trigger in onLoginSuccess() method and save those credentials in Google Password Manager or whenever available Google Service to make it available to Autofill Service next time.
Offer to save passwords - enabled, AutofillService also enabled:
https://www.lifewire.com/how-to-manage-android-autofill-settings-4801221
AutofillService: https://developer.android.com/guide/topics/text/autofill-optimize
AutofillService for Jetpack compose: https://developer.android.com/reference/kotlin/androidx/compose/ui/autofill/package-summary
So How to trigger Google Password Manager in native XML view or Jetpack Compose to show popup to save user's password to use later in AutofillService? Thanks.
I have solved my issue with such libraries from Google:
Smart Lock for Passwords: https://developers.google.com/identity/smartlock-passwords/android/overview (outdated)
One Tap sign-in on Android: https://developers.google.com/identity/one-tap/android/overview (new one)
I personaly have used Smart Lock for Passwords (it's already outdated), but for my solution it works great and needs only little customization.
Because One Tap needs more time to proper set it up on server side to work with security tokens.
But pay attention - both of these libraries don't work in conjunction with Autofill Service with Jatpack compose. Probably they work with Autofill Service which is used with XML layouts, but is what I have discovered.
I'm developing an Android APP to control a food safe which should be closed e.g. for 20hours. As I want to use it myself I want that the App creates a random password and stores it in the controller of the safe (Bluetooth + Arduino) and in the App. The safe only accepts commands from the phone if the password is correct.
How can I hide the password in the APP from myself?
I tryed to store the random password in the encrypted shared preferences, but I just need to connect my phone to my PC and run the APP and then I can debug the password (though it is a released non debuggable version).
Any advice would be so great. Thanks
I'm not sure about what's the issue you're facing.
About hiding the password from yourself the best way I found so far is saving the MD5 equivalent in a file/DB.
To login instead of doing (TextBoxPassword == Password) you will call a function: (GetMd5(TextBoxPassword) == Password), where the stored password is already an MD5 hash.
Is there a way to lock every app i give to the end user with a unique password so that only i can generate a valid password to unlock that app and a copy of that app should not unlock with same password aswell.
I don't wanna setup online server for that. I need my app to be unlocked offline.
You can generate password on a first Application start using current time of system and Android Id, for example. Then you should show to user this time (that can be shown to them in some non-readable format) and his Android id. Then user sends you (or reads by phone, etc), this two lines and you combine them in a password using the same algorithm as phone did.
If the password can be long - create md5 hash of string, consisting of needed data. If it should be short - decrease the length of md5 or make some algorithm that will take only needed length from the whole password.
I have an app which allows to remotely lock other phones named "Parental Lock".
In the app, users can put a password for a time to their "children"s phone.
The problem is when the time specified by the "parent" ends, I want to remove the password given by the "parent" and restore the original one if there was.
For now, when the time ends, I am removing the password via device manager from the phone but to restore the old password put by the user itself long before, I must get the password info.
The get the password, the password itself had to be encrypted in first place (with yet another password, brr).
And the rule #1 says: never ever encrypt passwords, use hashing algorithms with a salt to store them.
I want to lock my application with a password which the user has set in the applications settings.
Each time the main acitivity of my app is going to be shown, a password dialog should be shown instead. I know how to do that, but i wonder... :
How do I store the password the user has set? I can't store it in SharedPreferences because you can delete SharedPreferences in your phone's settings. I thought about a textfile which holds the password, but this file can be deleted, cant it?
Any ideas?
You cannot protect against the password being deleted one way or another, so you need to step back and consider why you have a password in the first place. Most likely you're using the password to protect data the app has access to, rather than the actual app itself (since protecting the app from running is not going to be effective against an attacker that has physical access to the device.
If your password is to protect data, you only need to ensure that an attacker cannot access the data due to deleting a password store. One way to do this is to use the password as an encryption key (or part of a key) that obscures the data -- thus there's not even a password to delete.
One option is to put the password in the same file as where you have the other information (I reckon you want to protect the settings/data of the user). Just do not start the app when that file is missing or corrupted. What you have accomplished then, is that the information is rendered unusable if someone tampers with the data. Sign / encrypt your data file(s).
Another solution could be to store the password (hash!) on a webserver.