Geek Answers Handbook

What is the safest way to authorize a user in Android?

In my application, the user logs in with the web service, and the web service returns the authorization key. After this moment, each user of the request does this using this key.

My question is how to safely store this key? I save it in SharedPreferences, but for me it is not very safe.

+7
java android security
source share
2 answers

You are correct using the general settings, not the approach. You should use the Android Keystore System for any such purpose, this is the preferred approach.

Keystore Android allows you to store cryptographic keys in a container to make it harder to extract from the device. When the keys are in the keystore, they can be used for cryptographic operations, while the key material remains non-exportable.

And KeyStoreUsage.java is an example for this.

+2
source share

  • Save in plain text

    Using cleartext means that there is no data protection for the user runtime, assuming that the hacker has physical access to the phone.

  • Store encrypted using a symmetric key

    Developers are a useful group, and they often put encryption keys in search-friendly places, such as com.packagename.android.util.security. Using

  • Android Keystore

    Keystore Android system allows you to store cryptographic keys in a container to make it difficult to extract from the device.

  • Store encrypted using asymmetric keys

    A safer asymmetric encryption option is to remotely store the private key.

See this article for more details.

+1
source share

More articles:


All Articles