10

I'm at the point where I can allow the user to store credentials for a simple web app in my up coming Android app. My fear (being new to Android) is that other (evil) apps could get at this seemingly local database (local to my app that is)

When writing this feature should I fear other apps getting at this data? If so what is the best way to encrypt it locally (but remember I need to pull it back out at some point to log the user in when they are using the app)

thank you!

JimmyBond
  • 461
  • 2
  • 5
  • 14
  • Consider salting the password with a unique local salt and multi hashing the salted password. Then store only the final hash. Then repeat this process when the user logs in comparing the generated hash with the stored hash. Even then a gpu password cracking program can get a strong 8 char password "from" the hash in minutes to hours. – JAL Jun 01 '11 at 20:21

2 Answers2

5

I have a similar situation, and found the SimpleCrypto class enough for my needs to get the passwords encrypted to avoid plain text output of passwords being easily read.

How you decide to use a key for the encryption is another question. As shown here, you could use the unique Id of the phone (obvious problems being that if they change phone you can't decrypt your data), or just simply use a random string in your code. It depends how hard you want to make recovery and how important the data is you're securing.

Community
  • 1
  • 1
Mark Fisher
  • 9,838
  • 3
  • 32
  • 38
3

No... others app won't be able to get access to private data like your sqlite database. But, it's worthy to encrypt at least the passwords, just in case.

Cristian
  • 198,401
  • 62
  • 356
  • 264
  • Even if the phone is rooted? Sorry for this old thread, I just curious. – VHanded Dec 16 '11 at 15:09
  • 1
    @VHanded Even though this is pretty old, just for future readers, in a rooted device almost anything can be bypassed and accessed by the user. – YektaDev Jul 22 '23 at 13:44