Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android - Where should we save username and password in device memory?

What is a good practice to save username and password on device?

I have gone through many answers on StackOverflow and now i am bit confused.

I am working on an email app and i want my user to feel absolutely safe while using it.

Some people suggest that we should encrypt it and save it in SharedPreference. Some suggest we shouldn't save it on device at all.

I just want user's details to be stored at safest place possible.

Any help, suggestions would be highly appreciated.

like image 809
Varundroid Avatar asked Nov 02 '11 18:11

Varundroid


People also ask

Where do you save user ID and password?

Chrome: Click on the Menu button and then select Settings. Under Settings select Passwords. Under Passwords, select the toggle to turn on Save Passwords.

Does Android have a password manager?

Google offers a built-in password manager in Chrome and Android that automatically saves and syncs all your login details across devices. It makes logging into various apps and services as simple as tapping on the login box and verifying your identity.


2 Answers

You should save users credentials using the AbstractAccountAuthenticator class. Not only is this super secure, it also makes your app feel more integrated with android. Have you ever gone to the "Accounts" screen in your android setting and seen your Facebook, Twitter, and GMail accounts there? That's because they're using an AccountAuthenticator. Also, it allows you to associate URIs/ContentProviders with particular user accounts. To see a really comprehensive (but complicated) example of all this, checkout the SampleSyncAdapter example.

like image 174
Kurtis Nusbaum Avatar answered Sep 22 '22 00:09

Kurtis Nusbaum


Do you have any control of the server side, or is this a generic email client? If you can control the server side, I would do something like authenticate, then have the server generate a UUID and keep that locally to future api calls. Another idea would be to send a hash of the password to api calls instead of the actual password, then you can store just the password hash locally.

The issue with encrypting the username/password is that your code needs to be able to decrypt it, and if your code can decrypt it, somebody can reverse engineer your code and do that as well, although you can make it easier/harder by how you code and package it.

Once you figure out WHAT you're storing, you can figure out how you store it. One account? Shared prefs. Multiple accounts? Create a Sqlite DB.

I would suggest using http://ormlite.com/ to handle your db connections. I did a good chunk of the initial Android port work, and its now been enhanced/maintained by a top notch group of hackers. Very solid stuff.

See more Sqlite blog posts:

http://www.touchlab.co/blog/single-sqlite-connection/ http://www.touchlab.co/blog/android-sqlite-locking/

like image 37
Kevin Galligan Avatar answered Sep 23 '22 00:09

Kevin Galligan