Android where to store credential info like url, username, passcodes?

Question

I have an app which will connect to server and provide some basic connection credential information like server url, userer, application id etc What is the best option for storing this information within the android app? Should it be a preference? not sure where to store these items. I should clarify this question a bit. There are different levels of security requirements, so I am interested in hearing about how to encrypt the password etc, but there are also items which are generally not encrypted like connection urls etc, so I am also interested in how to store such information as well. I am basically looking for a better solution

I would like to point you this http://stackoverflow.com/a/20560574/730807 — Durai Amuthan.H, Nov 27 '14 at 22:38

score 0 · Accepted Answer · edited May 23 '17 at 12:29

0

You can programatically CRUD SharedPreferences to store this information. PreferenceManager.getDefaultSharedPreferences is one way to access them. Read this guide to get started: http://developer.android.com/guide/topics/data/data-storage.html#pref

Android will prevent other applications from accessing whatever you store in SharedPreferences or a SQLite database. In either way, you are still storing information in the clear. If an attacker gains root access, they can read that information.

Update - I couldn't find this earlier, but here is some sound advice from Reto Meier: What is the most appropriate way to store user settings in Android application

edited May 23 '17 at 12:29

Community

1
1

answered Aug 30 '11 at 18:57

Eric Levine

13,536
5
49
49

You DO NOT EVER store private information in public files like SharedPreferences. This should be stored in a session cookie. – Codeman Aug 30 '11 at 18:58
@Pheonixblade9 - I didn't say the OP *should*, just that he *can*. I also included a detailed disclaimer describing the downside of this approach. – Eric Levine Aug 30 '11 at 19:02
The OP implied that he is new to Android development. As such, it is incorrect to point him down an incorrect path. I'm sorry, but I disagree. This information should not be stored locally, and should not even be suggested as an option. – Codeman Aug 30 '11 at 19:04
@Pheonixblade9 - I wanted to reference this earlier but couldn't find it. Read this thread: http://stackoverflow.com/questions/785973/what-is-the-most-appropriate-way-to-store-user-settings-in-android-application – Eric Levine Aug 30 '11 at 19:12
Ok. The shared preferen.ces appears to be most common way to store this. In my case I don't want the user of the app to change the preference however, just the developer. Is there a way store in a preferences file without allowing user of app to read the entry as preference? – Androider Aug 30 '11 at 20:01
@Androider - Using SharedPreferences does not mean that the user has the ability to make changes. SharedPreferences is simply a developer API for persisting data. I think you are confusing it with PreferenceActivity, which does give the user a UI for changing preferences: http://developer.android.com/reference/android/preference/PreferenceActivity.html – Eric Levine Aug 30 '11 at 20:06
I see. I would rather read from file so the values are at least not hard coded, and I suppose you can do that with shared preferences? – Androider Aug 30 '11 at 20:10
Behind the scenes, SharedPreferences is managing an XML file. It just gives you an easy API to work with that XML file, so you can store and retrieve information with it. No need to "hard code" anything. – Eric Levine Aug 30 '11 at 20:31

score -1 · Answer 2 · answered Aug 30 '11 at 19:00

You want to use an HTTPClient and store these values in session cookies (handed out by the server).

These cookies are automatically managed by the HTTPClient whenever you make a request until the cookies expire.

DO NOT DO NOT DO NOT store this information in a local database or in Preferences. Anyone that plugs that phone into their computer can browse the database extremely easily if they are so inclined.

score -2 · Answer 3 · answered Aug 30 '11 at 18:05

-2

I think preferences is the best. Storing in SQLite database might not be secure. Databases can be pulled out and accessed(also using SQLite Editor apps), but preferences cannot be accessed by any other applciation.

answered Aug 30 '11 at 18:05

dcanh121

4,665
11
37
84

1

SharedPreferences are stored as XML files. They do not offer any more or less security than the SQLite database. Other applications are prevented from accessing either one via filesystem privileges. – Eric Levine Aug 30 '11 at 18:29
how would you keep the end user from being able to edit a preference like this? – Androider Aug 30 '11 at 18:39
Ok. I don't want the app user to change these settings as they are application connection strings. how do I keep user from being able to bring up app preferences? – Androider Aug 30 '11 at 18:41

Android where to store credential info like url, username, passcodes?

3 Answers3