Windows 7 Phone app best way to store credentials

Question

I am looking for the best practice for storing user credentials in a windows 7 phone app. I am writing an app for a web service that requires authentication. Thankfully it is only basic authentication at this point. What is the best way to store those credentials?

Answer 1

The best way to store credentials in your case would be encrypting them and storing in the application-specific isolated storage - basically, it cannot be accessed by any other application, so that gives another protection layer.

Answer 2

In terms of security, the best practice would be to avoid storing user credentials if possible. MSDN states:

Applications often ask users to provide a username and password that is used as credentials to authenticate the user with a web service or website, yet if they do so each time the application is run, users can become annoyed.

It is strongly recommended that your application prompt for usernames and passwords each time your application needs them from the user; if you attempt to save the credentials on the phone you risk exposure of those credentials to a malicious application if the Windows Phone is lost or stolen.

Actually, in the data encryption tutorial mentioned in the other answer, Rob Tiffany makes a similar disclaimer:

The OS Does Not include framework support for storing your passwords and salt values securely nor does it come with any kind of built-in key management. This means the only way to ensure your encrypted data is actually secure is to never store your password, salt value or keys on the phone.

...

If you see an app in the Windows Phone Marketplace that allows you to cache your credentials or keys locally for convenience, be aware that these are Not Secure solutions because everything a hacker needs to get at your data is right there in the code or in Isolated Storage.

Encryption is good for raising the bar, but this would not really protect the credentials from a knowledegable hacker. Usability sometimes trumps security, but you should take this decision knowing that encryption will not solve the core issue in this case (and maybe let the user be aware of this risk).