How to not hardcode my password (Android)?

Question

in my App i send bugreports via email. I heard that the to hardcode my password here is not secure so how do i protect it?

Is it enough to write into my /res/values and then read it from there?

The reason for this is that i won't use the internal email app. then the user exits my app and thats not very good because he may won't come back

GMailSender sender = new GMailSender("my_emailadress@gmail.com", "my_password");
sender.sendMail("Bugreport", 
                currentQuestion.getID(),   
                "my_emailadress@gmail.com",   
                "my_emailadress@gmail.com");

Please help me. Thanks

instead of hardcoding u can build one ui component which will ask for email and password while sending the message, so that u or the user can type the username and password there and then send it. — Triode, Feb 22 '12 at 09:18

score 3 · Answer 1 · answered Feb 22 '12 at 09:19

There is no really secure way to protect you password, if you put it in your app at all. The least thing to do, would be making a separat account, so it's not interlinked with your real account.

Apart from that, I would recommend not using this approach at all. Using the build in mail app isn't that bad. This way the user would know, he is contributing something to making your app better, which is a good thing.

A third possibility would be making a webpage for submitting bugs and sending a HTTP request in your app when a bug occurs. However, let the user know about it, because if not, he may think you're spying on him.

And then, there is the crash reporting mechanism of android which is built in, so you don't have to do anything at all.

hi thank you. i don't send this in the background its a alert dialog and the user has to confirm that the bug report is sent to me. so no spying. yes i may do the thing with the second email this would be a very simple solution. but when my app gets more popular i may change the things and send it via HTTP request. — androiddevjedi, Feb 22 '12 at 09:42

score 0 · Accepted Answer · edited Aug 01 '16 at 04:46

You can use SHA encryption to encrypt your password:

Below is the code to use SHA encryption:

import java.io.UnsupportedEncodingException; 
import java.security.MessageDigest; 
import java.security.NoSuchAlgorithmException; 

public class AeSimpleSHA1 { 

    private static String convertToHex(byte[] data) { 
        StringBuffer buf = new StringBuffer();
        for (int i = 0; i < data.length; i++) { 
            int halfbyte = (data[i] >>> 4) & 0x0F;
            int two_halfs = 0;
            do { 
                if ((0 <= halfbyte) && (halfbyte <= 9)) 
                    buf.append((char) ('0' + halfbyte));
                else 
                    buf.append((char) ('a' + (halfbyte - 10)));
                halfbyte = data[i] & 0x0F;
            } while(two_halfs++ < 1);
        } 
        return buf.toString();
    } 

    public static String SHA1(String text) 
            throws NoSuchAlgorithmException, UnsupportedEncodingException  { 
        MessageDigest md;
        md = MessageDigest.getInstance("SHA-1");
        byte[] sha1hash = new byte[40];
        md.update(text.getBytes("iso-8859-1"), 0, text.length());
        sha1hash = md.digest();
        return convertToHex(sha1hash);
    } 
}

he cant use cryptography because he wants to store his password inside his application without entering it at runtime. — caiuspb, Feb 22 '12 at 09:31
well - maybe there is a way but I have no clue how to do it. You have to store the PW inside your application if you want to encrypt it at runtime — caiuspb, Feb 22 '12 at 09:33
Just to make it clear: SHA is a family of hash functions, not an encryption algorithm. Hardcoding a hash is as bad as hardcoding the psw itself. You are not protected against decompilers. — Mister Smith, Sep 27 '12 at 11:16

How to not hardcode my password (Android)?

2 Answers2