Should I Save token securely in Memory or sqlite? or Please suggest

Question

I started to learn Android few days back and so far I am done with implementing Login Activity, Main Activity which extends abstract Base Activity.

Nav Bar item when clicked opens xml from Fragments.

I have a question about the token that I receive after successful login. This token is being used with each request to get data after successful login. Should I save the token in sqlite database securely or I should make a public property in Main Activity? Main Activity will always remain in memory as this will open fragments.

Answer 1

I can suggest 3 options: 1) you can save the token to the file, something like this:

public static void saveToken(Context ctx, String fileName, Object token) {
        if (token == null) {
            ctx.deleteFile(fileName);
        } else {
            ObjectOutputStream out = null;
            try {
                FileOutputStream fout = ctx.openFileOutput(fileName, 0);
                out = new ObjectOutputStream(fout);
                out.writeObject(token);
                fout.getFD().sync();
            } catch (Exception e) {
                e.printStackTrace();
            } finally {
                try {
                    if (out != null)
                        out.close();
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
        }
    }

Make sure object token implements java.io.Serializable interface.

Usage before API level 24:

saveToken(appContext, someFileName, someTokenObject);

Usage with API level 24 and higher:

saveToken(appContext.createDeviceProtectedStorageContext(), someFileName, someTokenObject);

2) Use SQLCipher library for encrypted database.

3) You can encrypt your token using keystore system https://developer.android.com/training/articles/keystore.html

Answer 2

Use SharedPreferences and make sure you are using Context.MODE_PRIVATE this way only your app can access the data. SharedPreferences is a persistent store

e.g.

SharedPreferences prefs = context.getPreferences(Context.MODE_PRIVATE);
prefs.edit().putString("token", token).apply();
token = prefs.getString("token");

Why not to use SQLite:

SQLite is a database and is targeted at tabular data, a single token does not fit this use case.

Why not store in the main activity:

The main activity will not be around for the lifetime of the application install, it can be cleaned up by the OS at any time. It is not a persistent data store.

Answer 3

Should I save the token in sqlite database securely or I should make a public property in Main Activity? Main Activity will always remain in memory as this will open fragments.

The Official Android documentation already answers your question in the section on called "Best practices for security and privacy". It gives the following statement:

If you have access to user data and can avoid storing or transmitting it, don't store or transmit the data

In other words, if you can avoid persisting then don't persist it.

You mentioned "public property" in your question which makes me wonder if the concept of visibility modifiers is not yet clear. The Java public and private modifiers are for controlling access to the members of your class. They have nothing to do with security as per this answer here.

If you do persist the token in memory, as a public field or otherwise, you may reduce your exposure slightly by storing the token in a char[] rather than a String. That also is detailed in this canonical answer.

Finally, if you do have to store the token, the sqlite database is not the correct place to do it. Instead, you should use the provided KeyStore which will make for more difficult extraction of the token in the case that the device is compromised. The link to the documentation above is complete with code examples. If this proves too difficult to use, there are some wrappers around it including Scytale.

Answer 4

1) Store the token value within the base application singleton (where your application must be an instance of BaseApplication)

public class BaseApplication extends Application {
    // token
    private String token = null;
    public String getToken() {return this.token;}
    public void setToken(String token) {this.token = token;}
}

With the implementation above you will be able to set and get the token value from any activity/fragment. However the value is not persistent and it will be lost once the application ends.

Remark: If you are using the token for REST api access then you can store the token in the background service instance using a similar solution as above.

2) Use SharedPreferences - this is recommended way in case you want to store the token's value between application's runs.

Please see the answer from @Ryan.

Answer 5

You can use SharedPreferences to store token.it is available over application.

Answer 6

Better to use Sqlite or Realm. And store in Application memory and not in external memory. As for data residing in application memory we don't need to worry much about security. Saving in MainActivity is not a good solution, as once application closes, this will get cleared.

Storing in Shared Preference is also an option. But if user clears the cache from setting's this value will also get cleared. Realm Android Reference Link

Answer 7

You can store it in Shared Preference as this one is token.

Now coming to the part of Security You can obviously use encryption for the shared preference.

There are already lots of open items available you can use below library for example https://github.com/ophio/secure-preferences Regarding keys that are in your java file to encrypt, You need to be sure you are applying proguard before you upload it to playstore.

In that manner now your token is fully secure with shared preferences.

In order to save it in sqlite than by decoding or root access your db file can also be accessed same as preferences. Regarding clear data from setting I think it will delete your sqlite data as well. Not sure about this though.

I hope it will help you out.