Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android: Storing username and password?

People also ask

Is it safe to store passwords on Android phone?

If your device is hacked or stolen, storing passwords on your device gives hackers easy access to all of your accounts and personal information. Although it might be tempting and convenient, you should never save passwords on your phone, tablet, or computer.

Does Android have a password manager?

Welcome to your Password ManagerManage your saved passwords in Android or Chrome. They're securely stored in your Google Account and available across all your devices.

What is credential storage in Android?

Credential Storage is one of the options that must be enabled for keychain usage. You might be able to fix the issue locally on your device. When your device asks you to supply your Credential Storage password, simply use your lock screen PIN code.

Where is Android app password stored?

Select “Settings” near the bottom of the pop-up menu. Locate and tap on “Passwords” partway down the list. Within the password menu, you can scroll through all of your saved passwords.


Most Android and iPhone apps I have seen use an initial screen or dialog box to ask for credentials. I think it is cumbersome for the user to have to re-enter their name/password often, so storing that info makes sense from a usability perspective.

The advice from the (Android dev guide) is:

In general, we recommend minimizing the frequency of asking for user credentials -- to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.

Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.

Using the AccountManger is the best option for storing credentials. The SampleSyncAdapter provides an example of how to use it.

If this is not an option to you for some reason, you can fall back to persisting credentials using the Preferences mechanism. Other applications won't be able to access your preferences, so the user's information is not easily exposed.


You should use the Android AccountManager. It's purpose-built for this scenario. It's a little bit cumbersome but one of the things it does is invalidate the local credentials if the SIM card changes, so if somebody swipes your phone and throws a new SIM in it, your credentials won't be compromised.

This also gives the user a quick and easy way to access (and potentially delete) the stored credentials for any account they have on the device, all from one place.

SampleSyncAdapter (like @Miguel mentioned) is an example that makes use of stored account credentials.


I think the best way to secure your credential is to first think of storing the Password with encryption in the account.db file which couldn't be easily available in non rooted devices and in case of rooted device the hacker must need the key to decrypt it.

Other option is do all your authentication like the way Gmail is doing. after the first authentication with the Gmail server . you got the Auth Token that would be use in case of your password . that token would be store in plain text.this token could be false in case you change the password from Server.

the last option I'd recommend you to enable 2-Factor Authentication & create Device Specific Password for your device. After losing device, all you need is to disable that device.


Take a look at What is the most appropriate way to store user settings in Android application if you're concerned about storing passwords as clear text in SharedPreferences.


You can also look at the SampleSyncAdapter sample from the SDK. It may help you.