Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should you use AccountManager for storing Usernames and Passwords for an Android app?

Tags:

java

android

password-storage

accountmanager

android-account

I would like to know if one should implement AccountManager to save user credentials such as username, email, passwords etc. I can't find a good reason to use it myself.

I don't want other applications to have access to the Accounts and I don't really want them showing in the "Accounts and Sync" settings (although maybe that's not a big deal).

So my question is: should I use it? Pros/cons? Can I hide the Accounts from other apps and stop them from appearing in "Accounts and Sync"?

like image 491
HGPB Avatar asked Jun 05 '12 00:06

HGPB

People also ask

What is AccountManager in Android?

android.accounts.AccountManager. This class provides access to a centralized registry of the user's online accounts. The user enters credentials (username and password) once per account, granting applications access to online resources with "one-click" approval.

What is Account Manager app?

Accounts Manager app can be used to track your daily income and expense transaction as per your need. Easy Entries: Account Manager App is easy in adding, deleting and canceling a credit or debit entry.

2 Answers

This accepted answer to this question would probably help you... What should I use Android AccountManager for?

It should also be pointed out, as mentioned in the above post and also in AccountManager without a SyncAdapter? , that you can't have an AccountManager without a SyncAdapter, so its probably not good to use this for your particular situation.

I can't see any reason to use an AccountManager specifically for storing this type of information - at the end of the day, its no different to manually storing the data yourself in your own database or file. If anything, it probably complicates things - why don't you just store it in SharedPreferences?

The only reason I could think of that would encourage the use of AccountManager would be if you want to share your account across a number of different apps, as the data is stored in the central Android datastore which can be accessed by all apps. However, if this isn't required, I think its probably easier and simpler to just use SharedPreferences

like image 147
wattostudios Avatar answered Sep 23 '22 05:09

wattostudios

Overview

Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB.
A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.

But even the AccountManager is not fully secured in case of lost phone for example, see this for more info.

Good practice(s)

  • I would recommend to use the AccountManager and not store the password in clear but the hash.
  • And for a better level of security it's even better to store a device dedicated token delivered by the webservice and associated to the account (on the webservice side) and enable the user to revoke the token.

Not good

  • Do not store a clear or even hashed password as a file or in a DB accessible by anyone.
  • Never store a clear password but always work with a hash instead.

See also

  • What protects Android AccountManager passwords from being read by other apps?
  • http://developer.android.com/training/articles/security-tips.html#Credentials
like image 32
Joan Avatar answered Sep 21 '22 05:09

Joan
Sign in to Comment

Related questions

Shared Element Transition not working
What is the exact use of the executor in grpc-java’s ServerBuilder? Does it just execute the handler methods?
Elasticsearch Rest Client with Spring Data Elasticsearch
Exclude @Configuration from Spring Boot Application
What is difference between autoReconnect & autoReconnectForPools in MySql connector/J?
Read maximum heap space at runtime
Testing a method instead of testing a whole file in Netbeans w/ JUnit
How to identify checked and unchecked exceptions in java?
Best practices for rolling back transactions in Spring 3/Hibernate
Java: How to find if a method is overridden from base class? [duplicate]
How to persist a lot of entities (JPA)
What's this "Album artist" tag iTunes uses? Any way to set it using java?
How do you check both the exception's type as well as they type of the nested exception?
Hibernate criteria: how to order by two columns concatenated?
how to printf a long typed value using input size modifier?
Java: Get URI from FilePath
Windows shutdown hook on java application run from a bat script
Problems with https (No peer certificate) in android
How to store an array of pairs in Java?
Is it possible to run a socket server and socket client on the same machine?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!