In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this key.
My question is how to securely store this key? I have been storing it in SharedPreferences, but that does not sound very secure to me.
Security features. The Android Keystore system protects key material from unauthorized use in two ways. First, it reduces the risk of unauthorized use of key material from outside the Android device by preventing the extraction of the key material from application processes and from the Android device as a whole.
The Android application sandbox, which isolates your app data and code execution from other apps. An application framework with robust implementations of common security functionality such as cryptography, permissions, and secure interprocess communication (IPC).
Android platform uses the Linux user-based permissions model to isolate application resources. This process in called application sandbox. The aim of sandboxing is to prevent malicious external programs from interacting with the protected app.
You are right using shared preferences is not the approach to follow. You should utilise Android Keystore System for any such purpose, it is preferred approach.
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
And KeyStoreUsage.java is the example for same.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With