How to securely store credentials (password) in Android application?

44
votes

I want to store the password used for signing in a financial application that I am developing at a secure place. After doing some net surfing I found following options but each of them has certain drawback.

1) KeyChain.
Only available in OS version 4.

2) Shared Preferences.
It stores data in plain text even though if I encrypt the data then the encryption key can be compromised by decompiling the application code.

3) Access keystore daemon and store credentials in it.
(http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html) Requires another password to remember.

Please suggest me a better way to secure credential information in android application like IPhone KeyChain.

2
androidsecurity
see stackoverflow.com/questions/1925486/…mjn

2 Answers

18
votes

The is no equivalent of iPhone's KeyChain in Android currently. If you want to keep something secret, don't store it on the device. Or at least, don't store the key/password it is encrypted with on the device. Simple as that.

Additionally:

1) Even on ICS, you cannot use the KeyChain directly to store application secrets (see blog post in 3))

2) This is only a problem for rooted phones, or if someone has physical access to the device.

3) It is a lot better to remember a single password, protecting all of you credentials, than trying to remember multiple passwords. Additionally, on ICS, there is no separate password, the credential storage is protected by the device unlock password.

9
votes

Hashing is the solution don't store credentials as plain text in shared preferences or any medium.

Just salt and hash the password then you may proceed to store it in either sharedPreferences or some embedded db.

Here is how it works:

Online

  1. The plain(unhashed) password is sent to server for authentication & authorization upon successful login.

  2. The salt either can be generated and returned from server to client or can be generated at client

  3. Then store it as salt and hash the password and store it.

Offline

  1. We’ll hash the user entered password using the salt which we stored

  2. We'll compare with the hash which we stored upon successful login

  3. If both are equal then we’ll let the user in else we won’t let the user in.

Advantages:

  1. So Now you don't have to worry about version compatibility.

  2. Even If device is rooted it's so hard to brute force the hash.

  3. Even if someone decompiles/cracks the app it's so hard to reverse engineer