3

I want to authenticate a user by allowing him to create a username and password. Since I only find old posts about it, I'm creating this one.

Should I encrypt the password before sending to the server? If so, how should I do it? If not, should I use some specific configuration in my POST request to the server?

Is there any reliable third party api that I should use?

I know that Google has an androidx API for this things, but it's still in alpha.

Igor Grecco Lacourt
  • 532
  • 5
  • 19

3 Answers3

4

If you use HTTPS protocol to comunicate with the server the data are already encrypted before beeing sent, anyway I suggest you to execute an additional encryption using Cipher.

PS see this question for more How to encrypt String in Java

Marco Rocchi
  • 138
  • 1
  • 10
  • I marked this one as the resposnse just because the there's a very informative answer in the link posted. The other 2 are very good and similar answers. – Igor Grecco Lacourt Dec 12 '19 at 19:40
1

You may make a basic obfuscation like Base64 or something like that, as Marco mentioned, HTTPS already secures the channel and information wouldn't be seen by a man in the middle.

Instead of encryption you may add a security validation that the HTTPS certificate is trusted, so that using Proxies such as Charles Proxy is also forbidden.

htafoya
  • 18,261
  • 11
  • 80
  • 104
1

Encryption assumes an encryption key which needs to be securely distributed. Since the password (or a derivate of it) needs to be stored server side for subsequent authentication I would recommend to send the password in clear text at least when registering the username / password. Of course assuming that HTTPS, enforcing a secure protocol and hostname verification, is used. The benefit is that you don't add an implicit dependency to a specific algorithm to the server API. Instead the server application can hide this as an internal detail when storing the password (or a derivate) in the database. This makes API evolution less painful.

It is often recommended to use certificate pinning (i.e. "hard-coding" a server certificate client side) but this may be overengineering depending on your use case as it will require certificate lifecycle management.

All this said. You probably would benefit from using a third party service (e.g. AWS cognito) for authentication, at least in the short term. This way you can more easily implement 2-factor authentication when creating the account, login abuse prevention, password recovery, etc

Alix
  • 2,630
  • 30
  • 72