Geek Answers Handbook

How to encrypt session values ​​in Android

I am developing a web server based Android application. Users who have installed the application must register online so that they can log in. When someone tries to log in, I check their information using the API .

So, I am curious to continue the encryption processes . Should I encrypt values ​​or just put them all in SharedPreferences ? If encryption is required, then what is the efficient way?

Last but not least, are SharedPreferences sufficient for security?

Thanks.

+4
source share
3 answers

Of course, you must encrypt user preferences, such as login, password, or maybe email. I prefer SharedPreferences for storage, and yes, that's enough from a security point of view.

I found this two methods in StackOverflow, this is fair enough:

 protected String encrypt( String value ) { try { final byte[] bytes = value!=null ? value.getBytes(UTF8) : new byte[0]; SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES"); SecretKey key = keyFactory.generateSecret(new PBEKeySpec(SEKRIT)); Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES"); pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(Settings.Secure.getString(context.getContentResolver(),Settings.System.ANDROID_ID).getBytes(UTF8), 20)); return new String(Base64.encode(pbeCipher.doFinal(bytes), Base64.NO_WRAP),UTF8); } catch( Exception e ) { throw new RuntimeException(e); } } protected String decrypt(String value){ try { final byte[] bytes = value!=null ? Base64.decode(value,Base64.DEFAULT) : new byte[0]; SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES"); SecretKey key = keyFactory.generateSecret(new PBEKeySpec(SEKRIT)); Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES"); pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(Settings.Secure.getString(context.getContentResolver(),Settings.System.ANDROID_ID).getBytes(UTF8), 20)); return new String(pbeCipher.doFinal(bytes),UTF8); } catch( Exception e) { throw new RuntimeException(e); } }

Could not find the link, if I find it, I will edit my answer.

Edit : I found the source, you can see all the discussions here .

+2
source

Encryption is very simple, but the real question is which key? If you hardcode the key in the application or extract it from any known value, anyone with access to the device can easily decrypt these values. What you achieve is simply obfuscation. Since Android does not have an open API for the system keystore, you cannot do much if you need to keep the actual password. Unless, of course, you enter the password to the user every time you launch the application, and what kind of defeat it is.

If you manage both the server and the client, another approach is to use a certain form of authentication based on tokens and save only the token. Since tokens can expire and be canceled, the damage caused by someone catching your token is much less than disclosing the actual password (which can be used on other sites).

+3
source

Please refer to this link:

http://www.androidsnippets.com/encryptdecrypt-strings

Let me know if this helps.

+2
source

More articles:


All Articles