Details

    • Similar issues:

      Description

      1. How to ensure the security of the user's password? (https?)
      2. How to securely store the user's password? (AccountManager database?)
      3. How to prevent unauthorized apps access to the user's account token?

      Tips:
      https://groups.google.com/forum/#!topic/android-developers/Vubkbfqimm8
      http://stackoverflow.com/questions/8174835/what-protects-android-accountmanager-passwords-from-being-read-by-other-apps
      http://stackoverflow.com/questions/10890211/should-you-use-accountmanager-for-storing-usernames-and-passwords-for-an-android
      http://www.jiahaoliuliu.com/2012/05/android-account-manager-part-i.html
      https://developer.android.com/training/articles/security-tips.html#Credentials
      https://developer.android.com/reference/android/accounts/AccountManager.html

      Conclusion:
      1. AccountManager stores the username and password in plain text. On non-rooted devices this seems to be relatively OK because the AccountManager DB requires root permissions. However, on rooted devices the username and password will be compromised.
      2. I can derive a key based on some device property such as ANDROID_ID, MAC address, IMEI code, UserId etc. And then use this secure key to encrypt password so that the password that stored in AccountManager is not plain and it improves the security to a certain extent.
      3. if someone knows the algorithm (say, reverses your app), they can generate the same key and decrypt the data and the password.

      So, Although we have encrypted password, it's useless and can't prevent others getting the secure key to decrypt password because our android app are open source project and the crypto algorithm itself is open.

        Attachments

          Activity

            People

            • Assignee:
              fitz Fitz Lee
              Reporter:
              fitz Fitz Lee
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: