1

My app uses a library to send emails to a pre defined mailbox. In my Constants file I have defined my smtp host, smtp username and smtp password. The problem is, the password is in plain text. How can I store it safely? This a preview of my Constants.kt file:

const val SMTP_HOST = "smtp.gmail.com"
const val SMTP_USER = "test@test.com"
const val SMTP_PASSWORD = "123456"
André Nogueira
  • 3,363
  • 3
  • 10
  • 16
  • "My app uses a library to send emails to a pre defined mailbox" -- anybody will be able to extract this information from your app and use it for malicious purposes. Either use `ACTION_SEND`/`ACTION_SENDTO` or, as [one answer](https://stackoverflow.com/a/69184211/115145) suggests, have some Web service send the email, with your app communicating with the Web service securely. – CommonsWare Sep 14 '21 at 20:58

3 Answers3

3

In my view, a safer way is to unbind this "frontend" and make the application consume a service from the backend and it is responsible for doing this email. And on the backend you put the password as an environment variable or encrypt it in some database

Ricardo Junior
  • 49
  • 2
0

A better way would be to store your password in an env var and load it:

val SMTP_PASSWORD = System.getenv("PASSWORD")

Also, the topic has been discussed extensively on SO (here, for example).

GinGin3203
  • 1
  • 1
  • 2
  • `System.getenv()` is not an option in Android. It also does not address the real problem: anyone can extract the email credentials and use that account for spam, phishing, etc. – CommonsWare Sep 14 '21 at 20:55
0

You can keep your sensitive information on your .env file and you shouldn't send it to version control system and change it in the staging / production area.

Halil Yıldırım
  • 107
  • 1
  • 6