I have an app which will connect to server and provide some basic connection credential information like server url, userer, application id etc What is the best option for storing this information within the android app? Should it be a preference? not sure where to store these items. I should clarify this question a bit. There are different levels of security requirements, so I am interested in hearing about how to encrypt the password etc, but there are also items which are generally not encrypted like connection urls etc, so I am also interested in how to store such information as well. I am basically looking for a better solution
You can programatically CRUD SharedPreferences to store this information. PreferenceManager.getDefaultSharedPreferences is one way to access them. Read this guide to get started: http://developer.android.com/guide/topics/data/data-storage.html#pref
Android will prevent other applications from accessing whatever you store in SharedPreferences or a SQLite database. In either way, you are still storing information in the clear. If an attacker gains root access, they can read that information.
Update - I couldn't find this earlier, but here is some sound advice from Reto Meier: What is the most appropriate way to store user settings in Android application
You want to use an HTTPClient and store these values in session cookies (handed out by the server).
These cookies are automatically managed by the HTTPClient whenever you make a request until the cookies expire.
DO NOT DO NOT DO NOT store this information in a local database or in Preferences. Anyone that plugs that phone into their computer can browse the database extremely easily if they are so inclined.
I think preferences is the best. Storing in SQLite database might not be secure.
Databases can be pulled out and accessed(also using SQLite Editor apps), but preferences cannot be accessed by any other applciation.
Related
I'm trying understand which is the best way to store sensitive data in Android. In my app i want to insert a classic in-app-purchase model with some coins. My problem is that i'm not sure how to implement this correctly.
The initial idea was to simply use my firebase database, store the number of coins for every user and fetch the data every time the app is launched. This way I can easily detect some inappropriate usage but my users are forced to use the internet to play.
Looking at the documentations, I found this. Can this be a solution? Can I save in the internal storage the number of coins, maybe with some type of encryption, to avoid root user to modify the file? Then when the internet is on I can double-check the local stored variable with the the one in the database.
Thanks
Not an "easy" task.
Technically, you can create a SecretKey and encrypt data, so no normal user will be able to reproduce. If your concern are root users, You are kind of out of luck, as he can hook into your app while it is reading/writing that value.
But to store it online is not a solution in itself. You have to answer questions like: "Do you trust any server input"?
"How to make sure just paid coins are added"?
Have you had a look at Google Play billing?
it provides safe way's to determine if somebody paid or not.
This will require to be online.
If you have a sensitive data to save you can use sqlcipher database .. the good with it that it encrypt the database file itself so even the root user be able to get the database file he will not be able to decrypt it if you use a secured encryption algorithm.
you can find more about sqlcipher here
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
Since I assume you will grant your app a reading permission of your sensitive data and all writing processes should be reserved server-side, I would not recommend storing the data in a file on a phone, though every encryption can potentially be passed.
Maybe you already have heard about SharedPreferences, which is a good solution for let's say Preferences the user selects and that only shall affect his particular installation of your app. The difference is, that values are not stored in an external file, so not that easy accessible, BUT your app needs to write them, due only the app can access them directly (also your server can't). I am not aware of how your sensitive data is used at all but I would also not use SharedPreferences since it's injective-prone.
Official docs about SharedPreferences.
If security of your data (speaking of Confidentiality, Integrity, Authentication) is your No. 1 priority, simply don't store your sensitive data on the users device. Focus more on creating an API that ensures secure and performant passing of the relevant bits of your sensitive data. Hope this helps to give you a view of which way to go and which to walk around.
I am building an app which generates a random password and you can keep it along with your other details such as username, website url, name etc.
Basically a password management thing.
Things to be stored:
When I am clicking on the save button, I wanted it to be saved somewhere locally. So that, I could retrieve them and display it in another activity.
Can I share those things in SharedPreferences for all those password entries securely? [By password entry, I meant the entire class ]
I have referred to something like ComplexPreferences [ http://blog.nkdroidsolutions.com/class-object-in-sharedpreferences/ ]
I've tried them because I had created a class containing all these data [title, url, username, password, notes]. But I cannot retrieve them properly using a recyclerview. I'm ending up with some error.
If it cannot be done with SharedPreferences, how can I do it with SQLite Database?
But how can I save them securely? I don't know much about security in Android.
Please guide.
The shared preferences and sqlite db both are secure for an extend only.
It can be easily accessanle and can be modified even there are several apps available to edit the shared preferences and sqlite db in playstore . **
So i prefer not to store it locally
.you can use some kind of **algorithms and mechanisms to encrypt and decrypt the data that you are going to store locally.
if the device is rooted then its a SERIOUS ISSUE
Let's say, that you have a generated password along with other details like user name. Storing this kind of data is a perfect fit for SQLite. But, storing in plain text is not safe. Either the whole database or individual records should be encrypted. The former can be done using one of the open source database encryption libraries. For the later you have a couple of options:
Ask the user for a password each time he opens the app. Generate the actual encryption key using password-based encryption and the same salt value.
You can use the Android Keystore Provider to generate an encryption key and save it for you in a safe location on the device. Later, you retrieve the entry from the keystore and use it to encrypt/decrypt your database records using javax.crypto.Cipher.
Both options ensure that the encryption key is not be present in the app.
I still don't understand, why you need to save it locally? If only your application will be able to unlock data. In this case, only your application will have keys to working with this files.
For this example, you can easily work with SharedPreference with Private Mode. Furthermore, it's enough for most tasks. We using this option to save User's token, and it's Ok, for system. (If we talk about safety of this way, so you will have some risk for custom ROM, for Users, which manually flashed on device.)
If you need more complicated things, you can use sample, for using Android Keystore, with generating Key Pair, and saving data. For example you can check this source.
UPDATE!
So question was updated a lot, from first version. I will update information what you a looking for. Saving huge encrypted information locally.
Maybe easer way to do it, it's just use local encryption of data, as I described above, using Android KeyStore, KeyChain (links above). You will create our own KeyPair and will use for encryption and descryption some data. But this data, you will save in your DB in encrypted view.
Another more complex solution, will be creation of mechansim for encyption/decryption DB. As you described, you will save all information in DB, and after, just encrypt/decrypt you DB files. Fortunatly, we already have such library SQLCipher, just take a look. Fore example, this is pretty simple tutorial
I am creating an chat program that communicates with my server at home, so I can send commands. I was wondering what is the best way to save the login information? database? shared preference? sqlite database? file(xml,txt)?
what do you guys think and why?
You can take a look at this article: http://developer.android.com/guide/topics/data/data-storage.html
In my opinion, the best way will depend on the amount of data, if you want to save your login information I'd use SharedPreferences, but if you want to save the login information of many people, I think of using a sqlite database.
Login information contains passwords also, so I would consider this security problem choosing the location to save data.
Login information is usually stored in the server and not in the client: I would definitely choose to store them in a DB.
I suggest to encrypt passwords if you want to save them in a DB (SQLite, MySql or whatever).
For further information I suggest to take a look here:
Android: Storing username and password?
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
Okay. I started developing an Android App for our enterprise web app. Just started the Login screen activity design.
This app is completely driven by RESTFul API.
I would like to understand how to develop login / logout feature in the application.
As far as I understand, there is no Session concept in the app world. Also, for the API, we need to send Username and Password with every request (Basic Auth). So apparently, we need to keep the login credentials somewhere in the local storage to send along with every request.
Here is what I understand from my basic Android knowledge.
When user enters login information and presses the button, we'll spin up a HTTP call to API. If login credentials are valid, then we'll have to store the credentials locally. Options are
SQLite
Shared Preferences. (I never used it. But I am assuming, we can use this)
Bundle (Not sure if this is an option)
Any other alternatives?
I want to make sure I follow the best practice, while not sacrificing from performance and architecture perspective.
And for the logout, I think I just need to wipe out the credentials stored locally and show login Activity.
Are there any different and better approaches?
I would suggest making use of the Android Accounts feature.
This blog has a pretty good step by step guide on all the bits you need to put together.
The general idea is you supply the AccountManager with the users username/password, and leave it up to the AccountManager to store them securely.
When you need an authentication token, you ask the AccountManager for one, and it will either return a cached token, or call back into your code (passing the username/password) and you make the call to your authentication service to get a fresh token.
I think storing password in app is bad idea, better approach is just make request with user credential at first time when user get login the server return an access token save this access token in SharedPreferences for rest of purpose like getting user detail use the token in request.
Session : Create your own class for maintain session. Hackbook is a good example for it.
Generally, there are three ways you can persist data in Android: SQLite, SharedPreferences, and reading/writing onto a file a la Java I/O. SQLite is optimal for relational data, but because you simply need to store the user's credentials, I recommend you use SharedPreferences. It seems to me like a simple key-value data model.
SharedPreferences are basically just an encapsulation of direct file I/O--that is, the underlying implementation is still file reading and writing, but simplified for key-value pairs. I don't know much about encryption, but you might have to handle that yourself before storing the password in a SharedPreferences object (also consider JaiSoni's suggestion: use an access token instead). Rest assured, however, that if you create the SharedPreferences and set it to MODE_PRIVATE, other apps won't have access to the shared prefs file.
I believe this is pretty much a standard implementation. If you look at this page, there's really only so much you can do: http://developer.android.com/guide/topics/data/data-storage.html
May I also point out that one of the complexities with direct file I/O is that you'll have to decide where you want to store the file--internal or external memory (e.g., SD card)--and hence check for its availability (not all devices have SD card slots, and sometimes internal memory is registered as external memory to the device). So just go with shared prefs.
For logging out, this might be useful: Deleting shared preferences
Why do you need to persist the login credential in a file or database? do you want to be automatically logged in after your app is restarted? if persistance is not necessary you can put the credentials into a static java member.
I am creating a community app where people can have a profile and search for people - like the soical network kind.
Which is the best way to store data of the logged in User like - User ID, name etc. so that i can use this across the activities for showing data and doing Api calls to get data across the application for the user related content.
What i want to store Locally
User Details like -> userId, Name, Last Known localtion, gender, birthday
Messages Inbox -> threads of conversations between two people.
You can use either SQLite Databases or Shared Preferences Using SQLite Databases will be better If you want to store more information ina astructured manor. But to save small information you can use Shared Preference
Well I guess the best approach is to store data in a database (SQLite), and use a call to sync the data with the server. Like this you can use your app even if you are offline :)
If you store data in memory when you have no internet connection, or you have an internet connection problem, you will get into a lots of trouble.
Good luck,
Arkde