Android Login Design and development - Approaches and best practices [closed]

Question

Okay. I started developing an Android App for our enterprise web app. Just started the Login screen activity design.

This app is completely driven by RESTFul API.

I would like to understand how to develop login / logout feature in the application. As far as I understand, there is no Session concept in the app world. Also, for the API, we need to send Username and Password with every request (Basic Auth). So apparently, we need to keep the login credentials somewhere in the local storage to send along with every request.

Here is what I understand from my basic Android knowledge.

When user enters login information and presses the button, we'll spin up a HTTP call to API. If login credentials are valid, then we'll have to store the credentials locally. Options are

1. SQLite
2. Shared Preferences. (I never used it. But I am assuming, we can use this)
3. Bundle (Not sure if this is an option)

Any other alternatives?

I want to make sure I follow the best practice, while not sacrificing from performance and architecture perspective.

And for the logout, I think I just need to wipe out the credentials stored locally and show login Activity.

Are there any different and better approaches?

Answer 1

I would suggest making use of the Android Accounts feature.

This blog has a pretty good step by step guide on all the bits you need to put together.

The general idea is you supply the AccountManager with the users username/password, and leave it up to the AccountManager to store them securely.

When you need an authentication token, you ask the AccountManager for one, and it will either return a cached token, or call back into your code (passing the username/password) and you make the call to your authentication service to get a fresh token.

Answer 2

I think storing password in app is bad idea, better approach is just make request with user credential at first time when user get login the server return an access token save this access token in SharedPreferences for rest of purpose like getting user detail use the token in request.
Session : Create your own class for maintain session. Hackbook is a good example for it.

Answer 3

Generally, there are three ways you can persist data in Android: SQLite, SharedPreferences, and reading/writing onto a file a la Java I/O. SQLite is optimal for relational data, but because you simply need to store the user's credentials, I recommend you use SharedPreferences. It seems to me like a simple key-value data model.

SharedPreferences are basically just an encapsulation of direct file I/O--that is, the underlying implementation is still file reading and writing, but simplified for key-value pairs. I don't know much about encryption, but you might have to handle that yourself before storing the password in a SharedPreferences object (also consider JaiSoni's suggestion: use an access token instead). Rest assured, however, that if you create the SharedPreferences and set it to MODE_PRIVATE, other apps won't have access to the shared prefs file.

I believe this is pretty much a standard implementation. If you look at this page, there's really only so much you can do: http://developer.android.com/guide/topics/data/data-storage.html

May I also point out that one of the complexities with direct file I/O is that you'll have to decide where you want to store the file--internal or external memory (e.g., SD card)--and hence check for its availability (not all devices have SD card slots, and sometimes internal memory is registered as external memory to the device). So just go with shared prefs.

For logging out, this might be useful: Deleting shared preferences