I'm creating a app to store encrypted data.
In this question, the OP si advised to store user's credential in clear.
But what if I'd like to store an encrypted password created with SecretKeySpec (the one used to encrypt data)? From my understanding the secret key is itself encrypted.
So I can I store and retrieve it.
Note: I'm not asking how to store preferences, just if my understanding of how SecretKeySpec works and how to, sort of, serialize and retrieve the encrypted password.
EDIT: Sorry, I forgot to specify it needs to be compatible with API level 4.
Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both.
There is no better way to keep your passwords safe than to use a password manager, like Bitwarden. A good password manager should do more than store passwords, such as generate strong passwords and monitor data breaches for compromised passwords.
The main storage methods for passwords are plain text, hashed, hashed and salted, and reversibly encrypted. If an attacker gains access to the password file, then if it is stored as plain text, no cracking is necessary.
Straight from the developer website.
Be Smart About Security!
It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.
With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker. If your user credentials are protecting something valuable, you should carefully consider doing something similar.
Remember: When it comes to security code, follow the "Mythbusters" rule: don't try this at home! Consult a security professional before implementing any custom account code.
Now that the security disclaimers are out of the way, it's time to get back to work. You've already implemented the meat of your custom account code; what's left is plumbing.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With