Android: Storing username and password?

AndroidAuthenticationStorageCredentials

Android Problem Overview

If I want to store the username and password to be used inside an Android application, what is the best way to do it? Is it through the preferences screen (but what if the user misses this?), or pop up a dialog box and ask the user for the credentials? If so, I do have to maintain state for the application. How would I do this?

Android Solutions

Solution 1 - Android

Most Android and iPhone apps I have seen use an initial screen or dialog box to ask for credentials. I think it is cumbersome for the user to have to re-enter their name/password often, so storing that info makes sense from a usability perspective.

The advice from the (Android dev guide) is:

> In general, we recommend minimizing the frequency of asking for user > credentials -- to make phishing attacks more conspicuous, and less > likely to be successful. Instead use an authorization token and > refresh it. > > Where possible, username and password should not be stored on the > device. Instead, perform initial authentication using the username and > password supplied by the user, and then use a short-lived, > service-specific authorization token.

Using the AccountManger is the best option for storing credentials. The SampleSyncAdapter provides an example of how to use it.

If this is not an option to you for some reason, you can fall back to persisting credentials using the Preferences mechanism. Other applications won't be able to access your preferences, so the user's information is not easily exposed.

Solution 2 - Android

You should use the Android AccountManager. It's purpose-built for this scenario. It's a little bit cumbersome but one of the things it does is invalidate the local credentials if the SIM card changes, so if somebody swipes your phone and throws a new SIM in it, your credentials won't be compromised.

This also gives the user a quick and easy way to access (and potentially delete) the stored credentials for any account they have on the device, all from one place.

SampleSyncAdapter (like @Miguel mentioned) is an example that makes use of stored account credentials.

Solution 3 - Android

I think the best way to secure your credential is to first think of storing the Password with encryption in the account.db file which couldn't be easily available in non rooted devices and in case of rooted device the hacker must need the key to decrypt it.

Other option is do all your authentication like the way Gmail is doing. after the first authentication with the Gmail server . you got the Auth Token that would be use in case of your password . that token would be store in plain text.this token could be false in case you change the password from Server.

the last option I'd recommend you to enable 2-Factor Authentication & create Device Specific Password for your device. After losing device, all you need is to disable that device.

Solution 4 - Android

Take a look at https://stackoverflow.com/questions/785973/what-is-the-most-appropriate-way-to-store-user-settings-in-android-application/6393502#6393502 if you're concerned about storing passwords as clear text in SharedPreferences.

Solution 5 - Android

You can also look at the SampleSyncAdapter sample from the SDK. It may help you.

Solution 6 - Android

Take a look at this this post from android-developers, that might help increasing the security on the stored data in your Android app.

Using Cryptography to Store Credentials Safely

Solution 7 - Android

With the new (Android 6.0) fingerprint hardware and API you can do it as in this github sample application.

Solution 8 - Android

These are ranked in order of difficulty to break your hidden info.

  1. Store in cleartext

  2. Store encrypted using a symmetric key

  3. Using the Android Keystore

  4. Store encrypted using asymmetric keys

source: Where is the best place to store a password in your Android app

> The Keystore itself is encrypted using the user’s own lockscreen pin/password, hence, when the device screen is locked the Keystore is unavailable. Keep this in mind if you have a background service that could need to access your application secrets.

source: Simple use the Android Keystore to store passwords and other sensitive information

Solution 9 - Android

The info at http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html is a fairly pragmatic, but "uses-hidden-android-apis" based approach. It's something to consider when you really can't get around storing credentials/passwords locally on the device.

I've also created a cleaned up gist of that idea at https://gist.github.com/kbsriram/5503519 which might be helpful.

Categories
Recommended Android Solutions
Recommended Authentication Solutions
Recommended Storage Solutions
Recommended Credentials Solutions

Previous Solution:

Count table rows

Mysql

Next Solution:

Citing the author of a blockquote using Markdown syntax

MarkdownCitations

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionLegendView Question on Stackoverflow
Solution 1 - AndroidEric LevineView Answer on Stackoverflow
Solution 2 - AndroidJon OView Answer on Stackoverflow
Solution 3 - AndroidRizView Answer on Stackoverflow
Solution 4 - AndroidemmbyView Answer on Stackoverflow
Solution 5 - AndroidmiguelvView Answer on Stackoverflow
Solution 6 - AndroiddwbritoView Answer on Stackoverflow
Solution 7 - AndroidZlatkoView Answer on Stackoverflow
Solution 8 - AndroidDmytro MelnychukView Answer on Stackoverflow
Solution 9 - AndroidkbsView Answer on Stackoverflow