Open GoogleCodeExporter opened 8 years ago
Hi Ramakrishnan
Thank you for your message and using my app. I do know that the preferences are
saved on the device in the clear. It is possible that according to the Android
design this "might" be ok - see this comment (stolen from Stackoverflow -
http://stackoverflow.com/questions/6355003/android-encrypt-password )
----Now, on to the secureness of storing the password (what follows is valid
for both storing the password in SharedPreferences and in AccountManager). As
long as the device on which your application is running is not rooted, it is
completely secure. No other app but yours can read the password. You can't even
read the password if you connect the phone to a PC using a USB cable and use
adb pull to try and get the respective file.
----However, if the phone is rooted, any app that gets root access can read the
password. Also, adb pull works, and you can get to the password in seconds.
Now given this I have two options
- Encrypt the password before storing it in the preferences file. But given
that my app is open source, not sure if this even makes sense, since all
someone has to do is lookup the source code and they can find out the key that
is used to encrypt the password. Also note that on a rooted phone, someone
could very easily access ALL the passwords that are stored in the
AccountManager (provided the phone is rooted) - see
http://security-n-tech.blogspot.com/2011/01/security-issue-exposed-by-android.ht
ml
- Use the account manager to store the password.
I might end up going down this route, since almost all applications seem to
trust the AccountManager with their passwords (though it is not secure in a
rooted phone).
Do let me know your thoughts.
Regards
Vivek
Original comment by viveki...@gmail.com
on 23 Aug 2011 at 11:15
Hi Vivek,
Thanks a lot for your detailed reply. Now My worry about security has increased as I'm using many apps which need root permission.
Though I'm not an android developer, I have few suggesstion. Is it possible to have an encryption key which is dynamic? The program should choose the key based on some unique device property like IMEI number or UID.
Correct me if I am wrong.
-Ramakrishnan
Original comment by grk...@gmail.com
on 24 Aug 2011 at 10:25
Original issue reported on code.google.com by
grk...@gmail.com
on 16 Aug 2011 at 10:44