Secure username and password in Android
Question
Problem Description
I am writing application which must connect to the server and download some data from the server. The URL of the file witch must be downloaded is formatted as follow:
http://www.myserver.com/file.xml?username=xxx&password=xxx
Question
URL and password are not provided by the user, I simply keep them in the code and add to the URL where I need. My question is how can I keep securely password and username on the Android device.
4 answers
solution1
0 2013-05-15 12:44:54
在Android中,您可以使用Md5编码方法进行密码编码,如果您需要保存这些用户详细信息,则它将存储在共享首选项中
solution2
0 2013-05-15 12:58:28
Did you see if you can use Google OAuth2: http://developer.android.com/training/id-auth/authenticate.html
If not, do not send user name and password in the URL but in a HTTPS POST and the correct way is using SOAP web services.
solution3
0 2013-05-15 13:02:07
Just as a hint there is a good talk on google io conference about security of android apps.
They don't cover secure server communication explicitly but give some hints about it and provide an encryption library to simplify any encryption tasks.
solution4
0 ACCPTED 2013-05-15 13:10:11
I would advise against keeping any kind of credential (username) and authenticator (password) stored on your device, as well as transmitting them around; this is often considered a security flaw, since middle-man attacks can intercept the HTTP traffic and easily identify both.
I would recommend instead the creation a token engine that would associate temporary identifiers to users and devices. For example:
- User ID 100 receives a temporary token, code A1S2D3F4 (randomly generated.)
- The code is associated with the device ID AND200 .
- Whenever device AND200 tries to access the server, it would generate the following URL:
Notice that there is no content identifying the user, nor its credentials or passwords. You may check if the device generating the URL is the one the token was originally associated with. Adittional controls may be implemented to detect tokens being used out of their lifespan, and help identify malicious users.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.