I want to store the password used for signing in a financial application that I am developing at a secure place. After doing some net surfing I found following options but each of them has certain drawback.
1) KeyChain.
Only available in OS version 4.
2) Shared Preferences.
It stores data in plain text even though if I encrypt the data then the encryption key can be compromised by decompiling the application code.
3) Access keystore daemon and store credentials in it.
(http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html) Requires another password to remember.
Please suggest me a better way to secure credential information in android application like IPhone KeyChain.
There is no better way to keep your passwords safe than to use a password manager, like Bitwarden. A good password manager should do more than store passwords, such as generate strong passwords and monitor data breaches for compromised passwords.
An application must receive credentials from somewhere to use services it depends on. These credentials are usually stored in configuration files.
Do Android Devices Have a Built-In Password Manager? Yes, you can use Google's Smart Lock with all of your Android devices and the Chrome browser. If you only use Android devices, then this may be enough to meet your needs, but it isn't compatible with Mac or Windows devices, or even with other browsers.
The is no equivalent of iPhone's KeyChain in Android currently. If you want to keep something secret, don't store it on the device. Or at least, don't store the key/password it is encrypted with on the device. Simple as that.
Additionally:
1) Even on ICS, you cannot use the KeyChain directly to store application secrets (see blog post in 3))
2) This is only a problem for rooted phones, or if someone has physical access to the device.
3) It is a lot better to remember a single password, protecting all of you credentials, than trying to remember multiple passwords. Additionally, on ICS, there is no separate password, the credential storage is protected by the device unlock password.
Hashing is the solution don't store credentials as plain text in shared preferences or any medium.
Just salt and hash the password then you may proceed to store it in either sharedPreferences or some embedded db.
Online
The plain(unhashed) password is sent to server for authentication & authorization upon successful login.
The salt either can be generated and returned from server to client or can be generated at client
Then store it as salt and hash the password and store it.
Offline
We’ll hash the user entered password using the salt which we stored
We'll compare with the hash which we stored upon successful login
If both are equal then we’ll let the user in else we won’t let the user in.
So Now you don't have to worry about version compatibility.
Even If device is rooted it's so hard to brute force the hash.
Even if someone decompiles/cracks the app it's so hard to reverse engineer
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With