如何在android中安全地保存Oauth Access令牌

Question

I have access token from the server after authentication lets say "uyhjjfjfgg567f8fhjkkf" now I want to save it in the device securely. I looked in Keystore and Keychain in android developer sites. I dont clearly understand how it works and how we should retrieve the token from the keystore.

KeyPairGenerator kpg = KeyPairGenerator.getInstance(
        KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore");
kpg.initialize(new KeyGenParameterSpec.Builder(
        alias,
        KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY)
        .setDigests(KeyProperties.DIGEST_SHA256,
            KeyProperties.DIGEST_SHA512)
        .build());

KeyPair kp = kpg.generateKeyPair();


/*
 * Load the Android KeyStore instance using the the
 * "AndroidKeyStore" provider to list out what entries are
 * currently stored.
 */

KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
Enumeration<String> aliases = ks.aliases();

Answer 1

You don't need to save the access token, since it has short life anyway. Keeping it in memory is good enough.

You do need to keep the refresh token, and you have a few options for that:

• In a file
  • Either directly in a file in the internal storage
  • or using SharedPreferences
  • or in a Database
• Using the AccountManager

Consider using the StoredCredential . For the flow itself, I recommend you to use Google AppAuth library .

Of course, you can also encrypt the key using a cipher:

private static byte[] encrypt(byte[] key, byte[] text) throws GeneralSecurityException {
    final SecretKeySpec skeySpec = new SecretKeySpec(key, KEY_ALGORITHM);
    final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, sInitVectorSpec);
    return cipher.doFinal(text);
}

And the key can be stored in the KeyStore .

Answer 2

Here you can find a really good article by Androidauthority regarding the possibilities available for Android Security.

A comprehensive example of Android keystore implementation can be found here .

And another good option is Google's keyczar that you can follow on the git repository for samples and details. There you can also find a detailed list of the Known Security Issues , so you can see if it suits your further implementation.

For your current issue I would recommend going on Android Keystore following the example implementation in the second link above.

Good luck !

Answer 3

We use a custom SharedPreference instance that encrypts the keys and values when adding, and decrypts when requesting.

SecurePreferences preferences = ...
preferences.edit().putString( "key", "value" ).apply(); // key and value are encrypted automatically

String value = preferences.getString( "key", null ); // key and value are decrypted automatically

I would only recommend using SharedPreferences if the values are encrypted, because even though the xml file is only available to the app, it can be accessed on rooted devices.

If you already using a SqlLiteDB, I would probably use that. If not, it's bit heavy for just saving a token.

EDIT:

An oauth token is completely unrelated to the key and keystore used to sign the app.

The oauth token is a token provided by the server after validating the user's credentials, within the app.

The keystore contains 1 or more certificates that is used to digitally sign the app. This is to prevent someone else from uploading an app that has the same package name as yours and replacing it.