Details
-
Task
-
Resolution: Won't Fix
-
Critical
-
None
-
None
-
None
Description
1. How to ensure the security of the user's password? (https?)
2. How to securely store the user's password? (AccountManager database?)
3. How to prevent unauthorized apps access to the user's account token?
Tips:
https://groups.google.com/forum/#!topic/android-developers/Vubkbfqimm8
http://stackoverflow.com/questions/8174835/what-protects-android-accountmanager-passwords-from-being-read-by-other-apps
http://stackoverflow.com/questions/10890211/should-you-use-accountmanager-for-storing-usernames-and-passwords-for-an-android
http://www.jiahaoliuliu.com/2012/05/android-account-manager-part-i.html
https://developer.android.com/training/articles/security-tips.html#Credentials
https://developer.android.com/reference/android/accounts/AccountManager.html
Conclusion:
1. AccountManager stores the username and password in plain text. On non-rooted devices this seems to be relatively OK because the AccountManager DB requires root permissions. However, on rooted devices the username and password will be compromised.
2. I can derive a key based on some device property such as ANDROID_ID, MAC address, IMEI code, UserId etc. And then use this secure key to encrypt password so that the password that stored in AccountManager is not plain and it improves the security to a certain extent.
3. if someone knows the algorithm (say, reverses your app), they can generate the same key and decrypt the data and the password.
So, Although we have encrypted password, it's useless and can't prevent others getting the secure key to decrypt password because our android app are open source project and the crypto algorithm itself is open.