Best way to set credentials for Android library

Question

we are developing an android library, that will communicate with our backend. This library will be distributed to our clients, allowing their applications to send data to our servers.

Each library should communicate in a secure way, with client credentials (token and so on).

Where would be the best place to store that token? Maybe in manifest? Plain text file in a single folder?

I want to be as much transparent I can. Client should download my library, download credentials file, and all should start running smoothly.

Any tip?

Thank you so much

Answer 1

From the official official documentation

Handling Credentials

In general, we recommend minimizing the frequency of asking for user credentials—to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.

Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.

Services that will be accessible to multiple applications should be accessed using AccountManager. If possible, use the AccountManager class to invoke a cloud-based service and do not store passwords on the device.

After using AccountManager to retrieve an Account, CREATOR before passing in any credentials, so that you do not inadvertently pass credentials to the wrong application.

If credentials are to be used only by applications that you create, then you can verify the application which accesses the AccountManager using checkSignature(). Alternatively, if only one application will use the credential, you might use a KeyStore for storage.

So using AccountManager seems to be the best option for storing credentials.

You can also use the SharedPreference but it's risky cause on rooted phones it is possible to access the preferences file of an app.