14

Possible Duplicate:
Storing a password

I am using shared preference to store password. Is it is secure to save the password data as it is, or i have to encrypt it before saving it. Please help me with sample code.

Thanks in Advance,

Community
  • 1
  • 1
upv
  • 539
  • 5
  • 7
  • 15
  • 3
    Use search before posting obviously basic questions. –  Jun 15 '11 at 08:36
  • I don't think the question is bad. iOS has the Keychain, I assume Android has something similar, and that is what should probably be used here. – Thilo Jun 15 '11 at 08:38
  • [Asked many times.](http://stackoverflow.com/search?q=Storing+encrypted+password+in+Android) – Mudassir Jun 15 '11 at 08:46
  • 1
    @Thilo, Android doesn't have such a store for passwords or keys. Passwords could be stored in the shared preferences of an application normally they are not accessible on a normal device. But if the device is rooted (which is not unusual for Android) or a developer device, then the share preferences are also accessible. – Flo Jun 15 '11 at 08:50
  • The question is bad, and has been closed. Really, use search. It's there for a reason. –  Jun 15 '11 at 12:41

3 Answers3

26

Short answer: it's pretty secure.

Long answer: first off, if you are creating an application that allows a user to log into a web / remote service, you might want to look into the AccountManager. It's a bit harder to learn the APIs and intergrate with it, but you get some nice benefits:

  1. Simple multiple account management (all the accounts are stored in the AccountManager).
  2. Ability to add SyncAdapters (and writing them will be pretty simplified, since the AccountManager will call your adapters with the right account -- you don't have to run the sync for each account manually).
  3. Your app will appear under Settings > Accounts & sync.

Check out the Sample Sync Adapter in the docs -- it shows how to use the AccountManager (you can ignore the sync stuff if you don't need it).

Now, on to the secureness of storing the password (what follows is valid for both storing the password in SharedPreferences and in AccountManager). As long as the device on which your application is running is not rooted, it is completely secure. No other app but yours can read the password. You can't even read the password if you connect the phone to a PC using a USB cable and use adb pull to try and get the respective file.

However, if the phone is rooted, any app that gets root access can read the password. Also, adb pull works, and you can get to the password in seconds.

Because of this, encryption is recommended (especially if your web / cloud / remote service holds sensitive data). I have used SimpleCrypto in my last project (together with AccountManager) and it works pretty well. In case you're wondering, I just used a constant for the "master password". For added security, I have obfuscated the final build (check out how).

Felix
  • 88,392
  • 43
  • 149
  • 167
  • 2
    +1. Note that encryption will not help against a dedicated hacker on a rooted device as well, if the "master password" is contained in the application somewhere. – Thilo Jun 15 '11 at 08:57
  • @Thilo yes, but obfuscation definitely helps. And also, you can't really ask the user for a password to his password :). And fetching it from a webservice is useless, as a "dedicated hacker" would figure that out. – Felix Jun 15 '11 at 09:29
  • 3
    Totally agree. I just wanted to stress that the important part here is that storing plaintext in a shared preference is as you say already pretty secure and that you would need to go to great lengths to make any significant improvements on top of that. If you are really worried, you need to do something like OAuth. – Thilo Jun 15 '11 at 10:00
4

No its never secure to store passwords in plain text, remember what happened to Sony recently?

Any java encryption technique will do

Community
  • 1
  • 1
Reno
  • 33,594
  • 11
  • 89
  • 102
  • If Android offers an SDK for password storage (not sure if it does), I'd use that rather than rolling my own. – Thilo Jun 15 '11 at 08:39
  • 2
    Sadly it does not, there is a feature request for it. Android supports the javax.crypto package. – Reno Jun 15 '11 at 08:43
1

You should never save a password directly, instead save a hash of the password.

Flo
  • 27,355
  • 15
  • 87
  • 125
  • 10
    That won't help if you need to send the password to a server to authenticate. Thunderbird or Firefox for example needs to store the password, not just the hash. – Thilo Jun 15 '11 at 08:37
  • 3
    Unnikrishnan PV never said the password has to be sent to a server. So you cannot assume something what is not specified. – Flo Jun 15 '11 at 08:43
  • A bit more of an explanation might be nice – rootmeanclaire Aug 19 '15 at 18:18