If you want to save passwords you are either implementing an ancient authentication protocol or doing it wrong.
Solution: Implement OAuth for your service and then implement your own authenticator on Android (http://udinic.wordpress.com/2013/04/24/write-your-own-android-authenticator/). This way you never need to store passwords, you store a refresh_token which can be revoked via a webinterface by users if their smartphone has been compromised. Regards Dominik On 08/12/2014 01:28 PM, Kapil Gambhir wrote: > What is the recommended approach for an app to securely store the > username/password credential on android, so that no one else can sniff that > sensitive data. Bigger issue being that most of the users dont use the > whole disk encryption. > I was playing around with SharedPreferences(seems to be clear text), > AccountManager(not encrypted) and KeyChain(not for passwords but keys and > certificates) but because of the reason mentioned in braces am not sure of > the right approach to store the user credentials so that its security is > respected. On the wire, the app would be using SSL, so that part if > covered, its largely the on the device storage of secured credentials. > > Any help will be highly appreciated. >
signature.asc
Description: OpenPGP digital signature
