I am writing application which must connect to the server and download some data from the server. The URL of the file witch must be downloaded is formatted as follow:
http://www.myserver.com/file.xml?username=xxx&password=xxx
URL and password are not provided by the user, I simply keep them in the code and add to the URL where I need. My question is how can I keep securely password and username on the Android device.
在Android中,您可以使用Md5编码方法进行密码编码,如果您需要保存这些用户详细信息,则它将存储在共享首选项中
Did you see if you can use Google OAuth2: http://developer.android.com/training/id-auth/authenticate.html
If not, do not send user name and password in the URL but in a HTTPS POST and the correct way is using SOAP web services.
Just as a hint there is a good talk on google io conference about security of android apps.
They don't cover secure server communication explicitly but give some hints about it and provide an encryption library to simplify any encryption tasks.
I would advise against keeping any kind of credential (username) and authenticator (password) stored on your device, as well as transmitting them around; this is often considered a security flaw, since middle-man attacks can intercept the HTTP traffic and easily identify both.
I would recommend instead the creation a token engine that would associate temporary identifiers to users and devices. For example:
Notice that there is no content identifying the user, nor its credentials or passwords. You may check if the device generating the URL is the one the token was originally associated with. Adittional controls may be implemented to detect tokens being used out of their lifespan, and help identify malicious users.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.