More efficient method to store passwords in an email android application

Question

I'm developing an application that sends an email without using intents (as described in Sending Email in Android using JavaMail API without using the default/built-in app).

This requires the email and password credentials of the developer's mail account. At the moment, i have stored them as static variables within a class:

public static final String EMAIL="myemail@gmail.com";

public static final String EMAIL_PASSWD="mypasswd";

I'm really concerned about security in case of reverse apk engineering.

Would it be safer to store these credentials in values/strings? Or maybe is there any better solution?

Thanks

Please consider use AccountManager to do this. – betorcs May 23 '14 at 14:02 — betorcs, May 23 '14 at 14:02

gbero · Accepted Answer · 2014-08-18T13:16:37.317

As soon as those values are stored on the device (on the app..) they won't be safe. Even storing them in the AccountManager won't help you to have something fully secure. Rooted users can easily retrieve data from the AccountManager.

May be a solution would be to retrieve them remotely (for example by using a secured connection to a Webservice before). Or maybe even better, to write a server side script that will handle that for you. Is it really needed that the device is the sender ? A server can handle that part isn't it ?

[Update] Please have a look at this article. It explains how problematic it is to store sensitive data on the device. It also gives a solution to raise your security to a higher level.

Anyway, relying on a server to send the email still seems the best option to me.

Thanks! At the moment i consider device as the sender. – alfrag May 25 '14 at 09:23 — alfrag, May 25 '14 at 09:23

More efficient method to store passwords in an email android application

1 Answers1