I'm writing a web service client and have the three obvious settings: url, username and password. For this the key value pairs in SharedPreferences would be enough. But I hit a roadblock when I wanted to subscribe to more than one server instance. What I need is the three settings stored once for each server instance added by the user. Whats the best approach here? Create a custom settings activity and save it to a file?
You can store a Set<String> in the SharedPreferences. You can use this to store the keys to the other properties.
One way of doing this is to store a set with keys that define each of your servers (for example, "foo.com" and "bar.com"). Then for each server store the properties you need using a known suffix. Lets say you need to the store the username and password for each one, then you would put "foo.com-username" and "foo.com-password" as the keys for the username and password for the "foo.com" server, same with "bar.com".
Related
I am building an app which generates a random password and you can keep it along with your other details such as username, website url, name etc.
Basically a password management thing.
Things to be stored:
When I am clicking on the save button, I wanted it to be saved somewhere locally. So that, I could retrieve them and display it in another activity.
Can I share those things in SharedPreferences for all those password entries securely? [By password entry, I meant the entire class ]
I have referred to something like ComplexPreferences [ http://blog.nkdroidsolutions.com/class-object-in-sharedpreferences/ ]
I've tried them because I had created a class containing all these data [title, url, username, password, notes]. But I cannot retrieve them properly using a recyclerview. I'm ending up with some error.
If it cannot be done with SharedPreferences, how can I do it with SQLite Database?
But how can I save them securely? I don't know much about security in Android.
Please guide.
The shared preferences and sqlite db both are secure for an extend only.
It can be easily accessanle and can be modified even there are several apps available to edit the shared preferences and sqlite db in playstore . **
So i prefer not to store it locally
.you can use some kind of **algorithms and mechanisms to encrypt and decrypt the data that you are going to store locally.
if the device is rooted then its a SERIOUS ISSUE
Let's say, that you have a generated password along with other details like user name. Storing this kind of data is a perfect fit for SQLite. But, storing in plain text is not safe. Either the whole database or individual records should be encrypted. The former can be done using one of the open source database encryption libraries. For the later you have a couple of options:
Ask the user for a password each time he opens the app. Generate the actual encryption key using password-based encryption and the same salt value.
You can use the Android Keystore Provider to generate an encryption key and save it for you in a safe location on the device. Later, you retrieve the entry from the keystore and use it to encrypt/decrypt your database records using javax.crypto.Cipher.
Both options ensure that the encryption key is not be present in the app.
I still don't understand, why you need to save it locally? If only your application will be able to unlock data. In this case, only your application will have keys to working with this files.
For this example, you can easily work with SharedPreference with Private Mode. Furthermore, it's enough for most tasks. We using this option to save User's token, and it's Ok, for system. (If we talk about safety of this way, so you will have some risk for custom ROM, for Users, which manually flashed on device.)
If you need more complicated things, you can use sample, for using Android Keystore, with generating Key Pair, and saving data. For example you can check this source.
UPDATE!
So question was updated a lot, from first version. I will update information what you a looking for. Saving huge encrypted information locally.
Maybe easer way to do it, it's just use local encryption of data, as I described above, using Android KeyStore, KeyChain (links above). You will create our own KeyPair and will use for encryption and descryption some data. But this data, you will save in your DB in encrypted view.
Another more complex solution, will be creation of mechansim for encyption/decryption DB. As you described, you will save all information in DB, and after, just encrypt/decrypt you DB files. Fortunatly, we already have such library SQLCipher, just take a look. Fore example, this is pretty simple tutorial
I'm trying to build a secure remember me system that allow user enter in the app without insert credentials each time.
i found this:
Add a "Remember me" checkbox in whitch was used sharedPreference that seems to me are not te best solution because every rooted phone can easily modify that params.
what's the best practice to follow?
well the idea behind remember me is that you trade in their user name and password for some sort of auth token from your backend, and save that in shared prefs or SQLite. You SHOULD NOT be saving their username and password anywhere. You should be saving a token of some sort for them. if they dont have a token stored keep them at login, and if they do then take them to the main page and send that token to a backend to be validated, and log them out if it is not
You can save credentials in SQLite. Encode them and decode.
You can implement own decoder if you want and saving credentials in SharedPreference.
I am trying to use stored username and password to connect to a web service from android app code, is it visible to anyone who can decompile my .apk file please help?
You shouldn't be storing a credential in plain text. Ever. If your user logs in, then you should store the cookie or session key but not the password itself. If it's credentials for a web service and you need it encoded, you should use API Keys instead of a password.
If you are storing the credentials in the memory then one cannot directly get those by decompiling. But instead they can see the way you are storing the values. Like if you are storing it in SharedPreferences they can see the keys for the values and they can regenerate the apk and get the values.
You can use ProGuard for obsfucate your .classes files, and store your credentials there. It is a bit dificult for use it, but the results is excelent.
The classes that you don't want to obfuscate, you can use:
-keep public class <MyClass>
Hope this help.
I'm currently designing an application which has initial login page. I provide remember me functionality and I stored username and password values in shared preferences. I illustrated my sample code below.
SharedPreferences preferences = getApplicationContext().getSharedPreferences("MyAppSettings",Context.MODE_PRIVATE);
SharedPreferences.Editor edit = preferences.edit();
edit.putString("username",username);
edit.putString("password",password);
edit.commit();
Info: Suppose username and password are string variables which are filled by user
Whenever user sets checkbox remember me, I store these variables in shared preferences.
I wonder that is this way safe and reliable for performing this kind of operation?
I mean that can these variables be reachable from outside the application?
Also, do I have to encrypt password of the user and store in shared preferences?
Thanks in advance,
Although Raghav Sood did answer your question correctly, your approach to the app design is fundamentally wrong in my opinion.
Modern day practices dictate that you should not store username and password at all in your app. Instead the login process should generate an oauth token that your app can then encrypt and remember for future access the web-server.
To have a general reading about oauth tokens you can check the wikipedia article on it http://en.wikipedia.org/wiki/OAuth and just as example, twitter uses that approach for apps connected to it https://dev.twitter.com/docs/auth/oauth/faq
I mean that can these variables be reachable from outside the application?
Anyone with a rooted device can view your SharedPreferences. It is simply an XML file stored on the device.
Also, do I have to encrypt password of the user and store in shared preferences?
It would be safer to do so, yes. Also encrypt the username while you're about it.
Make the user submit the username & password
Once the backend validates the user, make the server return a JWT
Store this JWT in shared preferences securely using Hawk
Use this JWT to authenticate user in the future
I am creating an application which requires login and enables user to configure some settings.
However I would like to enable user to store preferred settings, username and password.
Does anyone know how to store and retrieve values from registry?
Another possibility is using SQL Lite database but if possible I would prefer to store values to registry.
Thanks!
"Preferences is a lightweight mechanism to store and retrieve key-value pairs of primitive data types"
http://developer.android.com/guide/topics/data/data-storage.html