All geek questions in one place

How to safely store passwords on Android?

The task is to save the entered password (PasswordStr) or mKey.getEncoded byte [], and then automatically send it to the Crypto API (Cipher)

SecretKey mKey = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(PasswordStr.toCharArray());

It is clear that this password can also be encrypted, but this will require a different password, and so on ad infinitum.

Maybe Android already provides a mechanism for storing passwords?

ps it is impossible to use a remote server. Must be stored locally.

+6
source share
3 answers

You can use the Android Keystore API .

The secret is encrypted with the master password obtained from the phone’s password or PIN. It is considered a good encryption software solution. Please note that the user must set a password / contact on his phone for this to work.

Nelenkov gives a good overview:

The Android credential store is implemented as a native Linux service (daemon), with several additional layers on top of it that make it accessible to the structure. Let’s quickly look at what we know about the daemon key store (described in more detail here):

  • this is the native daemon launched on boot
  • it provides a local management socket that allows applications and system services to talk to it.
  • it encrypts keys using the AES 128-bit wizard
  • keys with encrypted keys are stored in / data / misc / keystore, one file per key
  • the master key is derived from the device unlock password or PIN.
  • Allows administration commands and key access based on caller ID

See the Android documentation for more details.

+3
source

Check the "Credential Processing" section of the Android Developer's Guide. . I will bring it here.

If possible, the username and password should not be stored on the device. Instead, perform initial authentication using the user name and password provided by the user, and then use the short-lived , specialized authorization token ..

Services available across multiple applications can be accessed using the AccountManager . If possible, use the AccountManager class to invoke the cloud service and do not store passwords on the device.

After using the AccountManager to retrieve the Account , CREATOR before transferring any credentials so that you do not accidentally transfer credentials to the wrong application.

If the credentials should only be used by the applications you create, you can check the application that accesses the AccountManager using checkSignature () . Alternatively, if only one application will use credentials, you can use KeyStore for storage.

+2
source

you can use SQLCipher for android. This is a SQLite extension that provides transparent 256-bit encryption of AES database files.

0
source

Source: https://habr.com/ru/post/981515/

More articles:


All Articles