How to use login features in Android app safely?

Question

How to use login features in Android app safely?

Firstly, there is no OAuth or other things supported on the server side, just a normal database query by username and password.

I want to implement an Android client for a website. My questions:

How to log in securely? with https?
How to safely store user login information on the phone to log in without entering the next time.
If the user performs some actions after logging in, how to behave? How to save a session? Copy and send multiple cookies, for example "jsessionid"?

+4

android authentication login https session

virsir Aug 15 '10 at 0:38

source share

1 answer

Oleg Vaskevich · Answer 1 · 2012-08-19T03:25:03+0000

HTTPS is apparently the best choice, since the username and password will be encrypted between the device and the server (i.e. if the user uses Wi-Fi at the airport, their credentials cannot be "sniffed").
You can save the password on the device in SharedPreferences using PreferenceManager.getDefaultSharedPreferences() and access it later in your code automatically. You can provide the user with the option to clear the password. On untethered devices, no other application or device can access your private application store to keep the data safe. It is available on root devices, but security is one of the rooting shortcomings.
It really depends on the server. Most websites use a phpsessionid or jsessionid cookie. In this case, see Android Http get Session Cookie and How to make an HTTP request using cookies on Android?

OAuth is, of course, preferable because it prevents the actual application from storing / accessing the server directly (instead it is basically a long-term cookie)

How to use login features in Android app safely?

More articles: