Where to save API connection credentials on Android

4

I wanted to know a suitable place to save the api connection (link, username and password), initially I was thinking of saving in an xml, but I believe that any user will have access to this file, being able to open and read. Is there a safer way?

    
asked by anonymous 01.04.2017 / 07:24

2 answers

4

"The best way to protect secrets is not to put them in code."

Not being possible, here are some of the options where to save them:

  • In string resources .
  • Hidden in source code.
  • Hidden in BuildConfigs .
  • Using Proguard.
  • Encrypted / masked strings.
  • Hidden in classes created using NDK.

Whichever option you choose, it does not guarantee 100% protection of the stored values, only makes it difficult to obtain them. A user who "breaks" one, "breaks" the others. It's a matter of having more or less work.

So, choose the easiest to implement, use strings declared in the res / values / strings.xml file.

<resources>
    <string name="user">[email protected]</string>
    <string name="password">dfr125NF56</string>
</resources>

References:

Note: In order to access the application code, if the application is distributed on Google Play, you must have a "rooted" device. This removes the majority of users from accessing the "secrets" stored in the application

    
01.04.2017 / 15:36
2

Several applications, for both Android and IOS, require credentials to use. In one way or another, it is possible to create applications that can be used after creating an account or also applications that you do not have to have, limiting access to them. It's a bit, let's say, boring, for the user every time they use the application, having to re-enter username / email and password again, unless it involves money , as in the case of applications of banks, etc.

On Google's safety tips page that references Android says:

  

In general, we recommend minimizing the frequency of   credentials - to make phishing attacks more   and reduce your likelihood of success. Instead, use a   authorization token and update it.

     

When possible, user names   and passwords should not be stored on the device. Instead,   perform authentication using the username and password provided   by the user and then use a short-duration authorization token   service-specific.

I believe using AccountManger is a viable option for storing credentials. The SampleSyncAdapter provides an example of how to use it.

If it is not an option for you for some reason, you can use persistent credentials using Preferences mechanism . In theory, other applications will not be able to access your preferences because user information is not easily exposed. Also, if they do reverse engineering, they will not have access to this information.

Preferably using token that can be changed from time to time:

SharedPreferences sharedPref = getActivity().getPreferences(Context.MODE_PRIVATE);
SharedPreferences.Editor editor = sharedPref.edit();
editor.putString("email", "[email protected]");
editor.putString("token", "1DCCDD82A62716194A7AEB1C79C9B");
editor.commit();

Regarding the API connection, you can choose to save to a class of constants:

public class Constants {
    public static final String APISERVER = "https://api.meusite.com/";
    public static final String TOKEN = "1DCCDD82A62716194A7AEB1C79C9B";
}

Or in a string resource , res/values/string.xml :

<resources>
    <string name="apiserver">https://api.meusite.com/</string>
    <string name="token">1DCCDD82A62716194A7AEB1C79C9B</string>
</resources>
    
01.04.2017 / 18:04