Android Storing username and password

Question

If I want to store the username and password to be used inside an Android application  what is the best way to do it  Is it through the preferences screen  but what if the user misses this    or pop up a dialog box and ask the user for the credentials  If so  I do have to maintain state for the application  How would I do this

User · Answer

Take a look at What is the most appropriate way to store user settings in Android application if you re concerned about storing passwords as clear text in SharedPreferences

User · Answer

These are ranked in order of difficulty to break your hidden info    Store in cleartext Store encrypted using a symmetric key Using the Android Keystore Store encrypted using asymmetric keys   source  Where is the best place to store a password in your Android app     The Keystore itself is encrypted using the user   s own lockscreen pin password  hence  when the device screen is locked the Keystore is unavailable  Keep this in mind if you have a background service that could need to access your application secrets    source  Simple use the Android Keystore to store passwords and other sensitive information

User · Answer

I think the best way to secure your credential is to first think of storing the Password with encryption in the account db file which couldn t be easily available in non rooted devices and in case of rooted device the hacker must need the key to decrypt it   Other option is do all your authentication like the way Gmail is doing  after the first authentication with the Gmail server   you got the Auth Token that would be use in case of your password   that token would be store in plain text this token could be false in case you change the password from Server   the last option I d recommend you to enable 2-Factor Authentication  amp  create Device Specific Password for your device  After losing device  all you need is to disable that device

User · Answer

You can also look at the SampleSyncAdapter sample from the SDK  It may help you

User · Answer

The info at http   nelenkov blogspot com 2012 05 storing-application-secrets-in-androids html is a fairly pragmatic  but  uses-hidden-android-apis  based approach  It s something to consider when you really can t get around storing credentials passwords locally on the device   I ve also created a cleaned up gist of that idea at https   gist github com kbsriram 5503519 which might be helpful

User · Answer

With the new  Android 6 0  fingerprint hardware and API you can do it as in this github sample application

User · Answer

You should use the Android AccountManager   It s purpose-built for this scenario   It s a little bit cumbersome but one of the things it does is invalidate the local credentials if the SIM card changes  so if somebody swipes your phone and throws a new SIM in it  your credentials won t be compromised   This also gives the user a quick and easy way to access  and potentially delete  the stored credentials for any account they have on the device  all from one place   SampleSyncAdapter  like  Miguel mentioned  is an example that makes use of stored account credentials

User · Answer

Most Android and iPhone apps I have seen use an initial screen or dialog box to ask for credentials   I think it is cumbersome for the user to have to re-enter their name password often  so storing that info makes sense from a usability perspective    The advice from the  Android dev guide  is      In general  we recommend minimizing the frequency of asking for user   credentials -- to make phishing attacks more conspicuous  and less   likely to be successful  Instead use an authorization token and   refresh it       Where possible  username and password should not be stored on the   device  Instead  perform initial authentication using the username and   password supplied by the user  and then use a short-lived    service-specific authorization token    Using the AccountManger is the best option for storing credentials   The SampleSyncAdapter provides an example of how to use it    If this is not an option to you for some reason  you can fall back to persisting credentials using the Preferences mechanism   Other applications won t be able to access your preferences  so the user s information is not easily exposed

User · Answer

Take a look at this this post from android-developers  that might help increasing the security on the stored data in your Android app   Using Cryptography to Store Credentials Safely

[android] Android: Storing username and password?

Examples related to android

Examples related to authentication

Examples related to storage

Examples related to credentials