What is the best method to authenticate users for my Android application?

Question

I'm working on an Android application that needs users to be registered with us first and then only they can access. The information users will get will be really sensitive, so I want a secure method to do this. I have never worked on such authenticating feature before with Android, but when I had to do something similar for a web application I would store the passwords MD5 hashed in a MySQL database. But I think this isn't a quite secure method, is it?

What can I do to ensure security for my users while authenticating them?

Also, can I use oAuth here?

Answer 1

Yes, you can use oAuth on Android. You should look at the official Android oAuth2 training http://developer.android.com/training/id-auth/authenticate.html

If you decide to implement your own authentication method, then storing passwords will be tricky. MD5 is insecure, SHA-256 with salting may be enough. In this scheme you store two things:

1. The password hash = SHA(password + salt)
2. The salt which is a random literal.

A good tutorial and a lot of details on this topic can be found on this page

If you have to deal with high risk data, I suggest you to contact security specialists who can help you create an appropriate solution. If you do it yourself without experience, then it is most probable that you will fail.