Where do I need to store the authentication token which will be submitted with each request in an Android application? I'm asking for a secure storage location, for example iphone has keychain, is there an equivalent service in Android? Is storing in shared preferences secure or not?
In Android 4.3+ there is something called AndoridKeystore which is roughly equivalent to iOS key chain. Here's a good blog write up of it and official API sample project.
In general if your create your shared preferences with Context.MODE_PRIVATE they are only accessible by your application (or other app signed by your key). However if the device is rooted they the user and any app could potentially read your app's private shared preferences.
I helped create and maintain a library called secure-preferences to obfuscate key and values that are stored in the shared preferences to make it harder for attackers and require then to reverse engineer the app (although that's not rocket science). A good alternative to secure-preferences is CWAC-prefs by Mark Murphy which is backed by SQLcipher.
Related
I'm working on an Android multi module (multiple apps) project and encountered a use case where I have to save some secret information that could be accessed by all these apps. My idea is to encrypt the secret information using a private key that is saved inside the KeyStore, and save this information in a file that I'm planning to store in the device (not external storage). My question is, would I be able to access this private key inside the KeyStore from another application and then use it to decrypt the secret information that is saved in the device?
I was looking at Android's KeyStore documentation, and if I understood it correctly, I can use the KeyStore APIs to save the cryptographic keys and use them with in the same application. But also the KeyChain documentation says I can use these cryptographic keys across multiple apps with in the system. I'm quite confused about how I can combine these two APIs and make it work for my use case. Any help is appreciated. Thank you.
My idea is to encrypt the secret information using a private key
You encrypt with a public key, never with the private key. The private key is used for decryption.
If you create public keys for all the apps then you can decrypt with individual private keys for these apps. Of course you'd have to trust these apps and the public key pair of each app in advance; I'm not familiar enough with your setup to make any recommendations in that regard.
To be honest the KeyChain API seems more about TLS authentication than anything else and I don't think it fits your use case. The API of the choosePrivateKeyAlias for instance only talks about authentication and a server requesting a key chain.
Key stores can be can in principle be distributed. Or course, to access / decrypt them you'd still need a key distributed within each app. You can share the information for specific signed applications only it seems. Possibly just the security of sharing the data privately without encryption already fulfills your use case? Key management is tricky, after all.
Caveat: I'm not terribly well known with the Android security model; hopefully my general knowledge of cryptography & security steers you in the right direction.
There is android:sharedUserId property. From the doc:
Apps with the same user ID can access each other's data and, if desired, run in the same process.
Unfortunately, it was deprecated in API 29 without proper replacement.
Is there an equivalent to iOS's Keychain on Android?
My understanding of the Preferences API is that it is not encrypted. For my application it doesn't matter whether these credentials are persisted across devices (i.e. a different use-case to iPhone-like Keychain in Android?)
I also looked at the KeyStore API but it seems to leave the actual storage of user credentials up to the application developer.
Short answer, there isn't one. But you can expect the filesystem to be secure.
Each app operates under a different user, and the filesystem used to store app data is secured by normal UNIX user permissions. So each app's file access is sandboxed by default. The filesystem also may be encrypted.
This page from the developer's site explains it better: http://developer.android.com/guide/topics/security/security.html
Actually there is:
By integrating Smart Lock for Passwords into your Android app, you can
automatically sign users in to your app using the credentials they
have saved. Users can save both username-password credentials and
federated identity provider credentials.
Integrate Smart Lock for Passwords into your app by using the
Credentials API to retrieve saved credentials on sign-in. Use
successfully retrieved credentials to sign the user in, or use the
Credentials API to rapidly on-board new users by partially completing
your app's sign in or sign up form. Prompt users after sign-in or
sign-up to store their credentials for future automatic
authentication.
https://developers.google.com/identity/smartlock-passwords/android/
Expanding upon #DJPlayer's answer:
Some relevant articles. The third includes a github app that demonstrates using the keystore provider to generate keys and then encrypt strings.
Android Keystore System
Where is the best place to store a password in your Android app?
How to use the Android Keystore to store passwords and other sensitive information
Also see Android Storage Options for ways to store the encrypted password - my recommendation is Shared Preferences.
Note that according to the second article with root access and a bit of knowledge of how your app uses the keystore (which might be obtainable from decompiling your apk), it's possible to hijack the private key and use it to decrypt encrypted material (ex: the persisted password)
http://developer.android.com/reference/android/security/KeyChain.html
Keychain for OS 4.0
I have Android and iOS apps which need to post to social networks, like Twitter and Facebook, directly using users' accounts.
Is it safe to embed the API Key and Consumer Secret in source code (or put in a pref file) within the Android/iOS app? Wouldn't it be possible that some hacker can find the API Key and Consumer Secret?
Pref is never safe for storing your passwords, it have been seen simply in root devices you can encrypt your pass and then put in pref but still your encrypt key exist in code in my experience your codes are not safe too even you use ProGuard.it can decompile and normal developer(not even hacker) can find keys I suggest you never store passwords locally .
if you have to do this I suggest you
use complex code with multipart password that each part store in different location with encryption
also from api 23+ you can use KeyStore
use ndk and store pass in c form
and finally use Proguard and DexGuard.
We are developing an application that has a requirement to use HMAC when communicating with one of our back end servers.
We are required to use an algorithm which I am confident that Proguard will obfuscate enough. The issue is that the algorithm requires some initial keys that the backend service will provide to us to use in our app.
How to secure it securely on the phone? Shared Preferences is ok but then how to get it into Shared Preferences in the first place?
I have to store the private key of my app in a secure location in the android device, i read about certStore, but it doesnt allow to store a file in it.
Is there any location where I can store it securely and doesn't get deleted if app re-installs.
You can store the key in the Preferences of your App. This will protect the key from
getting read by other applications because of the underlying file system restrictions of
the Android system.
But this won't protect the key from being read by the user itself.
and if you want to use this shared preference after your application removed and again installed in device then try for Android Backup Manager.
I think its help you in re-installation of your activity's data.
EDIT: Android (unfortunately) does not provide a way to do so. The approach I've used
before is to encrypt this token with another key generated within the app.
Your app key can be algorithmically generated. This, however, is only as secure as
your algorithm. Once that is known this is equivalent to storing the token in plain text.
Thanks.