0

I'm developing an app where the user can use it in remote locations. I've created a startup dialog asking for password. I saved the password in SharedPreferences.

My question is, is it a good idea to do that? Or is there a better way for storing passwords for offline apps?

Because when I try to clear the data of my app in settings -> apps, my saved password in SharedPreferencesis also being deleted.

Abhijit Muke
  • 1,194
  • 3
  • 16
  • 41
Jane07
  • 31
  • 7
  • you should use `sqlite` for local data persistence – R9J Feb 18 '14 at 09:27
  • 2
    @R9J databases are also cleared when the application is uninstalled or you press on clear data from settings – Blackbelt Feb 18 '14 at 09:30
  • if security is not a concern both SP and DB, imo, are "good" solution. It the user clicks on the clear data he will be prompt again with the pop up and you'll store the password again. – Blackbelt Feb 18 '14 at 09:33
  • If clicking 'Clear Data' is the main concern, then you can store it in a text file with encryption. Even it can be deleted using FileManager – R9J Feb 18 '14 at 09:45
  • @blackbelt My friend, I agree. – R9J Feb 18 '14 at 09:52

3 Answers3

2

you can hash your password and store it in a file

search for hash function like MD5 or ..

Vahid Forghani
  • 343
  • 1
  • 2
  • 14
  • hash? you mean like encrypting it? – Jane07 Feb 18 '14 at 11:26
  • 1
    yes it's like encrypting but you can't decrypt it, this is key element of hash functions – Vahid Forghani Feb 18 '14 at 11:39
  • 1
    if you save hash code of one password in file no one can't find the password from hashed code. for checking that entered password is correct or not you just hash entered pass and check that with saved hash code, if they are equal return true else return false – Vahid Forghani Feb 18 '14 at 11:44
1

Basically clear data of your app is cleaning what you store in SharedPreferences so that is normal. Store data in with SharedPreferences is usefull but someone with a rooted devices can access to these datas (basically an xml file store in "/data/data/app_packages"). Then you seriously have to consider to encrypt your password before to store it with SharedPreferences.

Substitut
  • 373
  • 1
  • 3
  • 9
  • if your device is rooted, can you also see the strings inside your sqlite database? – Jane07 Feb 18 '14 at 11:21
  • I'm almost sure that database are stored at the same place than xml files from SharedPreferences and then with a rooted phone you're able to get this db. It's obvioulsy much more complicated to open an sqlite database than an xml file but it is still possible. That's why you have to encrypt your password before to store it. – Substitut Feb 18 '14 at 13:03
1

My question is, is it a good idea to do that?

Generally, it is not a good idea to store passwords in plaintext, even if it is an offline application and gets cleared sometimes anyway. Like you mentioned before, all that Information and even the database can be extracted from your Applicatoin Storage when the device is rooted. Even If the content of that application is trivial, someone can do what mentioned above, just to see what password you use, so he/she can try to hack other accounts of yours.. This is especially the case if more people are using this application.

If you are aware of, and OK with that, you surely can use SP or DB. If you want to do something in the right direction, you can encrypt passwords, or hash them (though I recommend not to use MD5, but something like SHA2,Whirlpool,RipeMD2 or even PBKDF2). Using an encrypted Database like SQLCipher is also nice, since you have to set it up only once, and everything that is added in to your application afterwards is automatically stored encrypted.

If your only concern is that you dont want to the passwords be deleted, well, if you don't have Server communication, you have to live with that risk :)

Gannic
  • 263
  • 1
  • 3
  • 10