0

My question arises from the assumption that it's best practice not to handle passwords as String in a JVM environment. Android actually handles text inside EditTexts as array of char and provides a getChars method to get such array.

Given that I can handle a password this way, what happens when I have to serialize it to put it in a request body? Should I receive it on my server endpoint as char[]? Even with this option, client-side it will be eventually serialized to something like ['p','w','d'] which is again, a String.

To try to figure this out, I observed outbound traffic from a device to Amazon's authentication endpoints and there's actually my password in plain sight in a request body; so my question may even turn into: how big of a concern is this whole passwords vs Strings matter (at least in Android)?

Edit: an explanation of why I have this concern.

devrocca
  • 2,497
  • 2
  • 19
  • 27
  • You don't have to serialize value from edit text. A simple editext.getText().toString() will give you the string – Vivek Mishra Sep 17 '18 at 11:15
  • And if you are concerned with security, you can encrypt password using algorithm like md5 and then decrypt it on your server – Vivek Mishra Sep 17 '18 at 11:16
  • As an extra layer of security, you can enforce certificate pinning on your server and client to avoid MITM. – Tejas Sep 17 '18 at 13:20
  • @VivekMishra I don't want to represent the password value as a String, because of [this issue](https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords). This is the premise of my question – devrocca Sep 17 '18 at 15:49
  • @Tejas the vulnerability here is about accessing the app's process memory, not related to SSL. – devrocca Sep 17 '18 at 16:00
  • @VivekMishra also I think hashing the password only hides the original word(s), it doesn't prevent an attacker to dump the String hash and use it to authenticate. And md5 cannot be decrypted, it's a one-way hash. – devrocca Sep 17 '18 at 16:05

1 Answers1

0

You can convert it using hash function while sending it on your API.

Saurabh Pant
  • 36
  • 2
  • I think hashing the password only hides the original word(s), it doesn't prevent an attacker to dump the String hash and use it to authenticate. – devrocca Sep 17 '18 at 15:59