Storing a password

Question

I'm creating a app to store encrypted data.

In this question, the OP si advised to store user's credential in clear.

But what if I'd like to store an encrypted password created with SecretKeySpec (the one used to encrypt data)? From my understanding the secret key is itself encrypted.

So I can I store and retrieve it.

Note: I'm not asking how to store preferences, just if my understanding of how SecretKeySpec works and how to, sort of, serialize and retrieve the encrypted password.

EDIT: Sorry, I forgot to specify it needs to be compatible with API level 4.

score 11 · Accepted Answer · edited Jun 20 '20 at 09:12

Straight from the developer website.

Be Smart About Security!

It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.

With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker. If your user credentials are protecting something valuable, you should carefully consider doing something similar.

Remember: When it comes to security code, follow the "Mythbusters" rule: don't try this at home! Consult a security professional before implementing any custom account code.

Now that the security disclaimers are out of the way, it's time to get back to work. You've already implemented the meat of your custom account code; what's left is plumbing.

score 6 · Answer 2 · answered Mar 19 '11 at 01:35

Wow. I really don't think storing the user's password in the clear is a serious option.

Check out AccountManager which was designed for this purpose. Although it got downvoted in the question you linked to, SampleSyncAdapter really is a good resource for an AccountManager example, and the only one I know of included with the SDK.

Edit - about javax.crypto, I think it is a lower-level API than AccountManager. From the docs:

Many servers support some notion of an authentication token, which can be used to authenticate a request to the server without sending the user's actual password. (Auth tokens are normally created with a separate request which does include the user's credentials.) AccountManager can generate auth tokens for applications, so the application doesn't need to handle passwords directly. Auth tokens are normally reusable and cached by AccountManager, but must be refreshed periodically. It's the responsibility of applications to invalidate auth tokens when they stop working so the AccountManager knows it needs to regenerate them.

I'd hate to deal with this on the level of javax.crypto if I didn't have to.

Sounds good. Very good. But I need to stay compatible with API level 4 (I edited the question, sorry). Anyway +1 — Federico klez Culloca, Mar 19 '11 at 09:29

score -5 · Answer 3 · edited Sep 23 '16 at 14:43

-5

u can simply declare both username and password as an if statement if condition matches u can start the activity in case of wrong u can simply generate a toast of wrong input.but u can not retreive password from there if u lost by any mean but yess u can create many passwords for a single user.i added this thing to my application and working well for me.

edited Sep 23 '16 at 14:43

Willi Mentzel

27,862
20
113
121

answered Sep 23 '16 at 06:45

Amit Sharma

1

Storing a password

3 Answers3

Linked

Related