How to safely store passwords on Android?

Question

The task is to save the entered password(PasswordStr) or mKey.getEncoded byte[] and later automatically send to the Crypto API (Cipher)

    SecretKey mKey = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(PasswordStr.toCharArray());

It is clear that this password can also be encrypted , but this will require another password and so on to infinity.

May be Android already provides a mechanism for storing passwords?

p.s use remote server is not possible. Need to be stored locally.

Answer 1

You can use Android's Keystore API.

A secret is encrypted by a masterpassword derived from the phone's password or pin. It is regarded as a good software based encryption solution. Note, that the user must set a password/pin on his phone for this to work.

Nelenkov gives a good overview:

Android's credential storage is implemented as a native Linux service (daemon), with a few extra layers on top of it that make it available to the framework. Let's quickly review what we know about the keystore daemon (described in more detail here):

• it's a native daemon, started at boot
• it provides a local control socket to allow apps and system services to talk to it
• it encrypts keys using an AES 128 bit master
• key encrypted keys are stored in /data/misc/keystore, one file per key
• the master key is derived from the device unlock password or PIN it
• authorizes administration commands execution and key access based on caller UID

See the Android Documentation for more details.

Answer 2

Check Handling Credentials section on the android developers guide. I'll quote it here.

Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.

Services that will be accessible to multiple applications should be accessed using AccountManager. If possible, use the AccountManager class to invoke a cloud-based service and do not store passwords on the device.

After using AccountManager to retrieve an Account, CREATOR before passing in any credentials, so that you do not inadvertently pass credentials to the wrong application.

If credentials are to be used only by applications that you create, then you can verify the application which accesses the AccountManager using checkSignature(). Alternatively, if only one application will use the credential, you might use a KeyStore for storage.