1

I'm developing an Android app. For authentication the user needs to enter the user name and password and the server returns an expiring authentication token.

Currently I'm saving the token but not the credentials. What is the preferred safest method to save the credentials locally so that when the token authentication fails I can re-login the user using the saved credentials in the background without having the user to enter their credentials again.

I'm aware of saving data using SharedPreferences. But are they really secure? Can I use AccountManager for this purpose?

George Arokiam
  • 262
  • 2
  • 9
  • SharedPreferences is certainly should not be considered secure – tyczj Nov 16 '17 at 15:30
  • 1
    Read this post , the accepted answer is tech lead from android dev at google as per another stackoverflow answer. https://stackoverflow.com/questions/785973/what-is-the-most-appropriate-way-to-store-user-settings-in-android-application/786588#786588 – Jimmy Nov 16 '17 at 15:38

1 Answers1

0

Having a background service that when the token expires would login the user again automatically would not be very secure.

Is it not possible to make the expiry time of the told longer? As saving the credentials and trying to login periodically would not be very secure.

Swatarianess
  • 41
  • 6
  • I shouldn't change the expiry time since the service is used by others as well. Even if I did extend the expiry of the token as you suggest I'll still have to store the token somewhere. So if I'm worried about securing the user name and password then I should be worrying about securing the token too which is now valid for a longer period. Definitely not the answer that I am looking for. Thanks anyway – George Arokiam Nov 16 '17 at 16:42
  • A possible process could be reissuing tokens on exoiry. Firstly, validate the old token, then check if the user still exists or access hasn't been revoked or whatever makes sense for your application. Next, Issue a new token with a renewed expiration. Rinse and repeat. A background service doing this and having a class that handles reissuing would probably be what you are looking for then. No need to save credentials, and user is secure. – Swatarianess Nov 16 '17 at 16:53
  • Again I don't see how this solves my concern about security. What you are saying is if I get access to someone's token once then I can just keep getting new tokens for their account since the server is going to return my new tokens anyway without any authentication. – George Arokiam Nov 17 '17 at 16:02
  • No. Firstly, most of the token management is best handled server sided rather than on the device. Secondly, apologises, I am speaking of two separate tokens. One for access and one for refreshing. Auth0 sell fantastic authentication services as well as explain it better than i can. https://auth0.com/learn/refresh-tokens/ – Swatarianess Nov 17 '17 at 16:30