2

A bit of background:

  1. User enters credentials on every app launch instance.
  2. These credentials are sent as a part of the POST body (we encrypt them with a key using AES and put in the post body) to server and we get back a token which is some encoded string from the server.
  3. This token will authorize our app to make requests.

Now I would like you readers to focus on the fact that we need user credentials to get an authorization token in the first place.

  1. Token expires in 12 hours and all the subsequent requests are unauthorized and we are forced to kick the user out of the app to relogin again and get a new token which is good for another 12 hrs. I KNOW ITS A BAD EXPERIENCE.

Now we are required to implement a remember me functionality. I am NOT AT ALL COMFORTABLE using shared preferences (even with encryption, a serious hacker might get to the key in this case). What should I do ? I just came to know that the token web service is an oAuth2. Im a novice still looking at articles about oAuth2 and I saw where people have huge discussions about SharedPrefs and AccountManager api. But I saw this one answer by Reto Meier. He mentions that server should use oAuth. My question is given my scenario, what is the most secure way to do this and how can I use anything with oAuth to implement the remeber me functionality. Any kind of "clear" examples/clear explanantion would be a great help. Looking forward for your answers.

Community
  • 1
  • 1
uLYsseus
  • 995
  • 6
  • 16
  • 37

1 Answers1

2

This is solely my opinion and could be less than 100% correct.

I am currently struggling with this but some of the things I know that could result are:

  • Store passwords in server's database using a derivation function along with hash + salt, being the salt unique to each user;

  • Implement oAuth by sending the username and password (hashed or plain text doesn't matter) via HTTPS to the server one single time, he
    returns a token with a given expiration time. For example Dropbox
    oAuth token has a huge validation, doesn't mean it is less safe. You just have to invalidate the token if the user is compromised;

  • Store the token in SharedPreferences in the device and use it as the remember me.

mthandr
  • 3,062
  • 2
  • 23
  • 33
  • Thanks for response. I will mark your answer with some more research :). May I know, only if its ok for you, what issues are you struggling with ? – uLYsseus Feb 09 '15 at 01:36