0x5d - Android AccountManager not yet addressed

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.57k stars 2.29k forks source link

0x5d - Android AccountManager not yet addressed #1890

Open cpholguera opened 3 years ago

cpholguera commented 3 years ago

Security implications? when to use it instead of the Keystore?

jessystecroix717 commented 3 years ago

[https://github.com/OWASP/owasp-mstg/issues/1890#issue-849928348]()

jessystecroix717 commented 3 years ago

cpholguera commented 2 years ago

in general to avoid storing user credentials it's better to use the AccountManager whenever possible.
if multiple apps should use the same credential it's better to use the AccountManager.
if only one application uses the credential, you might use a KeyStore for storage.