8

I'm making an android application and currently, I have my server username and password written as constants in my code (which is not very secure). I have researched online but I couldn't really find something that would completely secure the password from the user or at least prevent from hackers. Could anyone help me out on how to securely store a password locally on android? Thanks!

Pranav
  • 143
  • 1
  • 5

1 Answers1

3

It seems your question is actually "can I restrict server access to my application only?". This is not possible. Once an application or file exists on a client (eg. a user device), there's no sure-fire way to prevent that client from accessing anything in that application or file, with or without your authorization.

If the device can read it, then the device can read it - regardless of whether it's actually your application doing the reading, or something else pretending to be the application.

The most you can do is trying to obfuscate the credentials, but this is unlikely to be useful - those who might have an interest in extracting credentials from your application, will also likely be those who have the skills to bypass such obfuscation.

I can't really give you a more specific suggestion without knowing your usecase. For remote APIs, API keys are typically used - but this would require that the user create an account. For account-less applications, what you want is simply not possible.

I should also note that "preventing hackers" is not a meaningful goal - that can mean many things. You'll want to read up on how threat modelling works, and determine exactly who your 'attackers' are, what their goals are, and what their capabilities are. Only then can you try to find solutions against it.

EDIT: Just wanted to add an extra word of warning: anybody telling you that obfuscation is "effective" for these kind of scenarios, is trying to sell you something. Unfortunately they are generally rather successful in such attempts. The obfuscation model cannot and does not work.

Sven Slootweg
  • 3,517
  • 3
  • 19
  • 29
  • Thanks a lot! I am actually using users in my application, but I have some information on my server that doesn't hold user information, so I was trying to download that with my server username and password. Now, I'll just use the username and password provided by the user to a servlet which will then process the information and give me the reponse that I want. – Pranav May 12 '15 at 20:43
  • @Pranav Yep, that sounds like the right solution :) Make sure to use TLS (HTTPS) for the connection, so that the login can't be intercepted by a malicious access point! It's even better if you hardcode the TLS certificate or certificate authority into your app. You can Google around for "MITM attack" for more information on the kind of attack that prevents. – Sven Slootweg May 13 '15 at 07:02
  • @Pranav In addition to Sven's advice you might also use a commercial obfuscator that has string encryption functionality. Even if you are using SSL pining technique, it is not a problem to tamper the application, and to change the certificate. So the good practice is to protect your application's integrity (Integrity Control/Anti Tampering), and encrypt its valuable data. I would recommend our product DexProtector to do that. N.B. I am affiliated with Licel (developer of DexProtector) – Ivan Kinash May 26 '15 at 13:04
  • @IvanKinash Obfuscators are snake oil. They do not and cannot work. – Sven Slootweg May 26 '15 at 20:16
  • @SvenSlootweg Sorry but I just cannot agree with you. – Ivan Kinash May 27 '15 at 12:42
  • @IvanKinash Of course you can't. You're working for a company that sells such snake oil obfuscators. Perhaps you haven't read my original post well enough to see the warning that I put in against *exactly that*? – Sven Slootweg May 27 '15 at 13:27
  • @SvenSlootweg I have read your original post and saw your edit. I am actually a very honest person and would never work for something useless, and especially sell it. I do not know what background in mobile application security you have, but what you wrote about obfuscators is complete nonsense. So did I understand you right that if for example one developed a mobile banking application he or she should not obfuscate (here I mean protect with such techniques string encryption, class encryption, hide method calls, ... + name obfuscation) the code? A clone application will be appeared in hours. – Ivan Kinash May 28 '15 at 14:35
  • @IvanKinash That is utter nonsense. No, a mobile banking application should *not* use obfuscation, it's security theater and doesn't work. Obfuscation will *not* prevent "clone applications" (and I think you're overestimating how much people care about cloning reverse-engineered software). – Sven Slootweg May 28 '15 at 19:35