2

I am using authentication for the first time and I have to save username in local database, I should also save password and session id, I'm getting this from a server.

So, I need to choose best way for secure saving this information. I have read some articles somewhere advice was SharedPreferences and other account managers.

So, can you specify which way is the best for this situation?

Nininea
  • 2,671
  • 6
  • 31
  • 57
  • In iOS, you should look at storing them in the [Keychain](https://developer.apple.com/library/ios/samplecode/GenericKeychain/Introduction/Intro.html#//apple_ref/doc/uid/DTS40007797-Intro-DontLinkElementID_2). – keithbhunter Aug 04 '15 at 15:36
  • by saying "account manager" do you mean `android.accounts.AccountManager`? – pskink Aug 04 '15 at 15:42
  • It will need more changes by my side for now , won't it? – Nininea Aug 04 '15 at 15:44
  • 1
    About the `AccountManager` http://stackoverflow.com/questions/2720315/what-should-i-use-android-accountmanager-for – Mauker Aug 04 '15 at 15:54
  • thanks @Mauker. here is one interesting point, it doesn't required to add account in setting, I mean credentials in this particular case has only technical meaning and usage. – Nininea Aug 04 '15 at 16:02
  • Don't you think that in this case shared preferences is the best solution? – Nininea Aug 04 '15 at 16:04
  • `SharedPreferences` is definitely one way of doing it. I've posted an example on the answers. But keep in mind that it's not the safest way of doing so. There's another answer that shows a method with encryption. Or you could create your own encryption methods for your `SharedPreferences`. – Mauker Aug 04 '15 at 16:07
  • great, thanks @Mauker – Nininea Aug 04 '15 at 16:21

2 Answers2

2

Don't use NSUserDefaults or SharedPreferences like others have suggested because they store information in plain text. Since password information in considered sensitive data, encrypt it first.

For iOS use the KeyChain. This wrapper helps:

UICKeyChainStore

For Android use

secure-preferences

*Note: To further back up my statements, Apple has been known to reject apps that store sensitive data in plain text so please use encryption

MobileMon
  • 8,341
  • 5
  • 56
  • 75
  • sounds great, as I see it is custom library for android (security-preferences) , I have xamarin project, so if I encrypt password than save in shared preferences and decrypt it back , got the same result, is it right? – Nininea Aug 04 '15 at 16:39
0

On Android, SharedPreferences is a good way of doing that, it's quite simple. But a friendly reminder... THIS IS NOT THE SAFEST WAY but it's probably the easiest one. The user could access that file if the device is rooted, and the data is stored in plain text in a Key-Value way.

You could try to use some encryption on that data, or try to find a wrapper to handle that, like SecurePreferences as it was suggested in other answers. iOS should have other wrappers or methods as well.

You could also use the AccountManager solution provided by Google. This was already discussed on this question here on SO.

You could also try to change the way you're authenticating the user on your server, a suggestion would be using OAuth, like Twitter does.

But, if you like to use SharedPreferences, there's more on that below.

You can read more about SharedPreferences here. And you can access the docs here.

An example:

public class SessionManager {

    private static SessionManager instance = null;

    private SharedPreferences sharedPref;
    private Editor editor;

    private final String prefName = "session";

    public static SessionManager getInstance() {
        if (instance == null) {
            instance = new SessionManager();
        }

        return instance;
    }

    private SessionManager() {
        sharedPref = context_.getSharedPreferences(prefName,Context.MODE_PRIVATE);

    }
    public void saveUser(String username, String password, int sid) {
        if (TextUtils.isEmpty(username) && TextUtils.isEmpty(password) && sid > 0) {
            editor = sharedPref.edit();

            editor.putInt("session_id",sid);
            editor.putString("username", username);
            editor.putString("password",password);

            editor.commit();
        }
    }

    public String getUsername() {
        return sharedPref.getString("username",null);
    }

    // Declare other methods to fetch the rest of the data.
}

TL;DR: It's best not to store that sensitive data as plain text. But it's definitely the simplest way.

Community
  • 1
  • 1
Mauker
  • 11,237
  • 7
  • 58
  • 76