What is a good practice to save username and password on device?
I have gone through many answers on StackOverflow and now i am bit confused.
I am working on an email app and i want my user to feel absolutely safe while using it.
Some people suggest that we should encrypt it and save it in SharedPreference. Some suggest we shouldn't save it on device at all.
I just want user's details to be stored at safest place possible.
Any help, suggestions would be highly appreciated.
You should save users credentials using the AbstractAccountAuthenticator class. Not only is this super secure, it also makes your app feel more integrated with android. Have you ever gone to the "Accounts" screen in your android setting and seen your Facebook, Twitter, and GMail accounts there? That's because they're using an AccountAuthenticator. Also, it allows you to associate URIs/ContentProviders with particular user accounts. To see a really comprehensive (but complicated) example of all this, checkout the SampleSyncAdapter example.
If security is a concern, eventually it still boils down to saving the user credentials in encrypted form. Here are some suggestions:
Consider encrypting the credentials using Base64.
The encryption key should be divided into different parts and saved in different parts of the app. Only to be combined by app logic.
Consider using JNI for encryption part of the code.
Once you have an encryption logic in place, you should use AbstractAccountAuthenticator.
Remember two things: a. An apk can be decompiled to retrieve the key. (Thats why (2) and (3)). b. Saving plain text is disastrous. (Thats why (1)).
On second thoughts, once you have 1, 2 and 3 in place, you may use SharedPreferences as well.
Do you have any control of the server side, or is this a generic email client? If you can control the server side, I would do something like authenticate, then have the server generate a UUID and keep that locally to future api calls. Another idea would be to send a hash of the password to api calls instead of the actual password, then you can store just the password hash locally.
The issue with encrypting the username/password is that your code needs to be able to decrypt it, and if your code can decrypt it, somebody can reverse engineer your code and do that as well, although you can make it easier/harder by how you code and package it.
Once you figure out WHAT you're storing, you can figure out how you store it. One account? Shared prefs. Multiple accounts? Create a Sqlite DB.
I would suggest using http://ormlite.com/ to handle your db connections. I did a good chunk of the initial Android port work, and its now been enhanced/maintained by a top notch group of hackers. Very solid stuff.
See more Sqlite blog posts:
http://www.touchlab.co/blog/single-sqlite-connection/ http://www.touchlab.co/blog/android-sqlite-locking/
SharedPreference is the best option.
Here is how you can do it.
import android.preference.PreferenceManager;
private static final String LOGIN_EMAIL = "login_email";
private static SharedPreferences mAppPreferences;
private static SharedPreferences.Editor mEditor;
/*Insert your code to Get user entry of email from the EditText*/
mAppPreferences = PreferenceManager.getDefaultSharedPreferences(context);
mEditor = mAppPreferences.edit();
mEditor.putString(LOGIN_EMAIL, v_user_email );
mEditor.commit();
I don't think SharedPreference storage is unsafe or can be tampered with.
