How to keep passwords securely in android using shared preferences or sqlite database?

Question

I am building an app which generates a random password and you can keep it along with your other details such as username, website url, name etc.

Basically a password management thing.

Things to be stored:

Things to be stored

When I am clicking on the save button, I wanted it to be saved somewhere locally. So that, I could retrieve them and display it in another activity.

Can I share those things in SharedPreferences for all those password entries securely? [By password entry, I meant the entire class ]

I have referred to something like ComplexPreferences [ http://blog.nkdroidsolutions.com/class-object-in-sharedpreferences/ ]

I've tried them because I had created a class containing all these data [title, url, username, password, notes]. But I cannot retrieve them properly using a recyclerview. I'm ending up with some error.

If it cannot be done with SharedPreferences, how can I do it with SQLite Database?

But how can I save them securely? I don't know much about security in Android.

Please guide.

E/RecyclerView: No adapter attached; skipping layout But the thing is, I don't know how to implement properly. So, I don't know if the data is actually getting stored or not. Can I store passwords like this ? — Levi, Dec 06 '16 at 11:09
That is not the error, where you are facing issue and what you have tried? — Nigam Patro, Dec 06 '16 at 11:10
Can I store passwords like that ? Can I use ComplexPreferences for that ? If so, I could work with that. — Levi, Dec 06 '16 at 11:11
http://blog.nkdroidsolutions.com/class-object-in-sharedpreferences/ — Levi, Dec 06 '16 at 11:13
See this, there is nothing like complex preference https://developer.android.com/training/basics/data-storage/shared-preferences.html — Nigam Patro, Dec 06 '16 at 11:16
Its a modified class for storing Class objects into shared Preferences. Please visit the link that I had mentioned above. — Levi, Dec 06 '16 at 11:17
Yes exactly, you can store that data. It's not an issue. Because, the data which you store in SharedPreference and SQLite db can't be accessible by other application. — Nigam Patro, Dec 06 '16 at 11:18
Can it be hacked ? Can you please help me with a code for how to store and retrieve that class object data using sharedpreferences into a recycledview ? — Levi, Dec 06 '16 at 11:21
Unless the device is rooted, no one can hack that data. So, as per the requirement specified by you store the data and retrieve the data to display in list, better go for `SQLite database`. — Nigam Patro, Dec 06 '16 at 11:23
If I publish my app using SQLite database, does everyone underrate my app for not being secure ? — Levi, Dec 06 '16 at 11:25
It's not like that. No user can see that you are using sqlite or any other. And ha if you want to secure the data then you can apply some encryption algorithm to store password. — Nigam Patro, Dec 06 '16 at 11:27
Please put that as an answer. How to add encrypt the password while we are entering the data and how to decrypt it while retrieving data ? — Levi, Dec 06 '16 at 11:35
You can use this library, please refer their documentation for better idea https://github.com/scottyab/AESCrypt-Android — Nigam Patro, Dec 06 '16 at 11:38
Thanks a lot. I think I'm gonna use it with SQLite. Its pretty much secure, right ? — Levi, Dec 06 '16 at 11:45

ashik · Answer 1 · 2016-12-06T11:35:37.477

0

The shared preferences and sqlite db both are secure for an extend only. It can be easily accessanle and can be modified even there are several apps available to edit the shared preferences and sqlite db in playstore . **

So i prefer not to store it locally

.you can use some kind of **algorithms and mechanisms to encrypt and decrypt the data that you are going to store locally. if the device is rooted then its a SERIOUS ISSUE

edited Dec 06 '16 at 11:35

answered Dec 06 '16 at 11:27

ashik

1
2

Can you tell any application which is available to fetch some other applications data? – Nigam Patro Dec 06 '16 at 11:28
I don't know the other method. This is just a simple app. If I am storing it locally, how to make it secure ? Please help. I think storing on a server is not free. So I am going with local method. – Levi Dec 06 '16 at 11:30
Can you please explain something in detail ? – Levi Dec 06 '16 at 11:32
http://stackoverflow.com/questions/30148729/how-to-secure-android-shared-preferences – ashik Dec 06 '16 at 11:42
this might help you – ashik Dec 06 '16 at 11:42

score 0 · Answer 2 · edited Oct 10 '17 at 22:59

I still don't understand, why you need to save it locally? If only your application will be able to unlock data. In this case, only your application will have keys to working with this files.

For this example, you can easily work with SharedPreference with Private Mode. Furthermore, it's enough for most tasks. We using this option to save User's token, and it's Ok, for system. (If we talk about safety of this way, so you will have some risk for custom ROM, for Users, which manually flashed on device.)

If you need more complicated things, you can use sample, for using Android Keystore, with generating Key Pair, and saving data. For example you can check this source.

UPDATE!

So question was updated a lot, from first version. I will update information what you a looking for. Saving huge encrypted information locally.

Maybe easer way to do it, it's just use local encryption of data, as I described above, using Android KeyStore, KeyChain (links above). You will create our own KeyPair and will use for encryption and descryption some data. But this data, you will save in your DB in encrypted view.

Another more complex solution, will be creation of mechansim for encyption/decryption DB. As you described, you will save all information in DB, and after, just encrypt/decrypt you DB files. Fortunatly, we already have such library SQLCipher, just take a look. Fore example, this is pretty simple tutorial

Because I don't know how to save it on Cloud. And I don't know if its costly. Thats why I am going with the local option. Can you help me ? — Levi, Dec 23 '16 at 08:31
@Levi I will update answer, but in any case, it might be complex. — GensaGames, Feb 02 '17 at 07:56

dev.bmax · Answer 3 · 2016-12-10T21:40:30.617

Let's say, that you have a generated password along with other details like user name. Storing this kind of data is a perfect fit for SQLite. But, storing in plain text is not safe. Either the whole database or individual records should be encrypted. The former can be done using one of the open source database encryption libraries. For the later you have a couple of options:

Ask the user for a password each time he opens the app. Generate the actual encryption key using password-based encryption and the same salt value.
You can use the Android Keystore Provider to generate an encryption key and save it for you in a safe location on the device. Later, you retrieve the entry from the keystore and use it to encrypt/decrypt your database records using javax.crypto.Cipher.

Both options ensure that the encryption key is not be present in the app.

Can you please explain that thing a bit more simple ? Like you said, after creating all passwords, I have to encrypt them and store into the database. After retrieving it, I have to decrypt and show. Is it ? — Levi, Dec 10 '16 at 04:47

How to keep passwords securely in android using shared preferences or sqlite database?

3 Answers3