0

I'm making an app that will require a password to be entered before the main app will load. I plan to get the user to create a password when they first run the app and then store the password on the local device and encrypt it using a local symmetric key (which will be generated when the app first runs). This is so someone can't simply read the file where the password is stored.

How can I store the key used securely? Or is there a better way of hiding stored passwords to be used in local verification?

The app is designed for offline usage so I can't add any networking capabilities.

CS Student
  • 1,613
  • 6
  • 24
  • 40

3 Answers3

0

You can use SharedPreferences in private mode to store the password. It is secure as far as the phone is not rooted but you can use Cryptography techniques to store the password. The approach which I follow to store the passwords locally is to add a SALT to the password while storing. You can read more about it here

Community
  • 1
  • 1
Shubham
  • 165
  • 2
  • 11
0

A secure way for passwords - hashing. A hash can never be decrypted as the password is lost during the hashing process. I'm using MD5 hashing process in the following code -

public String StringToMD5(String s) {
 try {
     // Create MD5 Hash
     MessageDigest digest = java.security.MessageDigest.getInstance("MD5");
     digest.update(s.getBytes());
     byte messageDigest[] = digest.digest();

    // Create Hex String
     StringBuffer hexString = new StringBuffer();
     for (int i=0; i<messageDigest.length; i++)
            M hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
    return hexString.toString();

} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
}
return "";
}

Use this code to hash your password and then store it using Private SharedPreferences. When the user enters the password again, hash it again and check if it is the same as previous hash. If the hashes match, then access is granted.

FadedCoder
  • 1,517
  • 1
  • 16
  • 36
0

Please start by reading Thomas Pornin's canonical answer to How to securely hash passwords?.

PBKDF2 options are listed in the question PBKDF2 function in Android, but include a native SecretKeyFactory method as well as Spongycastle, bouncycastle, rtner.de, etc.

Long, cryptographically random per-password salt is required (make room for more than one password for future growth!).

Never ask PBKDF2 for more key length than the native function supports - that 64 bytes for PBKDF2-HMAC-SHA-512, and 20 bytes for PBKDF2-HMAC-SHA-1.

Always use as high an iteration count as your users can stand. Even for android devices, for a single user on their own device, done only once at application start, that's in the hundreds of thousands or more for PBKDF2-HMAC-SHA-1 and the tens to hundreds of thousands for PBKDF2-HMAC-SHA-512.

Note that PBKDF2's primary use is in creating encryption keys - you can use the same password entered to generate the encryption key for files you encrypt using AES (NOT in ECB mode); just use a different salt and a different number of iterations. If you're only doing that, then you don't even need the password hash; simply try decrypting the file with the key generated and a stored salt and number of iterations - if it works, it was the right password. If it fails, it wasn't.

Community
  • 1
  • 1
Anti-weakpasswords
  • 2,604
  • 20
  • 25