0

so I'm developing an application in android studio using Java. I'm using this service on my client application that needs my username and password.

private Rsms s= new Rsms("Username","Password");

but I don't feel it's safe to just put my username and password in the code.

a_local_nobody
  • 7,947
  • 5
  • 29
  • 51
Zahra
  • 149
  • 1
  • 2
  • 12
  • why do you think that would be safe ? people would surely decompile this, right ? but this problem goes beyond just people having access to a username and password because they'd probably need to have this access for the app to work, right – a_local_nobody Apr 22 '22 at 13:12
  • what do i do then? – Zahra Apr 22 '22 at 13:16
  • 1
    well, that's my point. your question is "Is it safe..." to which the answer is _probably_ "no", but how else you could handle this is possibly a different question and perhaps this doesn't have much to do with android anymore, perhaps this is more relevant on a security/server forum – a_local_nobody Apr 22 '22 at 13:16

2 Answers2

4

Your feeling is right. It is not recommended to store your password in source code. Instead you can store it maybe in protected section. You could use EncryptedSharedPreferences from the Jetpack security library like this:

  String masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC);

  SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
      "secret_shared_prefs",
      masterKeyAlias,
      context,
      EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
      EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
  );

  // use the shared preferences and editor as you normally would
  SharedPreferences.Editor editor = sharedPreferences.edit();

As already discussed in many threads, there is no "really secure" solution in Android. It is better if the user authenticates his password on the server. If it is a developer web service, then in most cases you have an API that you can use. Then you can work with access tokens.

Dominik Teroerde
  • 309
  • 1
  • 11
  • the password that i'm trying to encrypt is not the user's username and password they're my username and password to use a third party service on my app. i searched SharedPreferences an came upon https://developer.android.com/topic/security/data#java but even if i were to save my passwords to a file and put it in my app and read them securely with the methods there it's not secure is it? – Zahra Apr 22 '22 at 13:48
  • 1
    I understand your point of view. I don't know what service you are using, but in most cases you have an API for which you can use an access token. As I mentioned before, EncryptedSharedPreferences is not the best option either, but better than writing your password directly into the source code or reading it from a ordinary file. – Dominik Teroerde Apr 22 '22 at 14:10
  • Of course I don't know how your app behaves and at which point you need to connect to this third party service you mentioned. But have you thought about more "hybrid" approach? If you have any kind of backend that your app communicates to you can ask your backend for (username, password) pair, use it to connect to service and then remove it from app's memory. Thus not storing credentials in the app at all. It won't be 100% secure(as nothing is) but will decrease the time when password/username will be exposed in the app. – bmaciejm Nov 23 '22 at 20:10
0

Try to save it with encryptedSharedPrefrences : https://github.com/behnamnasehi/EncryptedSharedPreferences

Behnam Nasehi
  • 56
  • 1
  • 5