Menu
I'm making an android application and currently, I have my server username and password written as constants in my code (which is not very secure). I have researched online but I couldn't really find something that would completely secure the password from the user or at least prevent from hackers. Could anyone help me out on how to securely store a password locally on android? Thanks!
653
Use a preinstalled key to encrypt/decrypt your AES key as shown in the second case above. External token: The protected keys are not stored in the device. You can use an external token containing a private/public key pair that allows you to encrypt the AES key. The token can be accesed using bluetooth or NFC.
If your device is hacked or stolen, storing passwords on your device gives hackers easy access to all of your accounts and personal information. Although it might be tempting and convenient, you should never save passwords on your phone, tablet, or computer.
Google offers a built-in password manager in Chrome and Android that automatically saves and syncs all your login details across devices. It makes logging into various apps and services as simple as tapping on the login box and verifying your identity.
It seems your question is actually "can I restrict server access to my application only?". This is not possible. Once an application or file exists on a client (eg. a user device), there's no sure-fire way to prevent that client from accessing anything in that application or file, with or without your authorization.
If the device can read it, then the device can read it - regardless of whether it's actually your application doing the reading, or something else pretending to be the application.
The most you can do is trying to obfuscate the credentials, but this is unlikely to be useful - those who might have an interest in extracting credentials from your application, will also likely be those who have the skills to bypass such obfuscation.
I can't really give you a more specific suggestion without knowing your usecase. For remote APIs, API keys are typically used - but this would require that the user create an account. For account-less applications, what you want is simply not possible.
I should also note that "preventing hackers" is not a meaningful goal - that can mean many things. You'll want to read up on how threat modelling works, and determine exactly who your 'attackers' are, what their goals are, and what their capabilities are. Only then can you try to find solutions against it.
EDIT: Just wanted to add an extra word of warning: anybody telling you that obfuscation is "effective" for these kind of scenarios, is trying to sell you something. Unfortunately they are generally rather successful in such attempts. The obfuscation model cannot and does not work.
83
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
