Recover md5 password from an Android application


I've created an Android application where I ask for a password to access the app. The user registers this password (numeric) and an email to recover password, the data is written in SQLite and I am using MD5 to save to the database and "log in" in the application ...

It is an application that hides images and videos ... It mounts a gallery, there to access the application and see the gallery of images and videos, you need the password. It does not connect to any web server ... If I leave the password visible, the person can open the database with an explorer or even SQLite app and view / edit the password easily. Since my app can hide even very important content (such as close videos), this would result in an unfortunate 1-star rating on my application.

In short, I do not want extra security, I just want it to be difficult for someone to figure out the password, or at least not make it difficult for the bank to see it.

How to recover this password if the user forgets, I was thinking of sending via email, but there is no way, since I would be sending the password in MD5!

Some other method?

asked by anonymous 18.09.2014 / 08:22

3 answers


Firstly, using MD5 for hashear passwords is a bad idea. You should decide whether or not it is important to do this hash, and if the answer is "yes," do it appropriately (ie using a proper hash algorithm for that purpose, which employs a salt and a working factor).

In general, the password hash is based on the following scenario: "I have a database, serving an application that can be accessed over the internet; if someone obtains a copy of this database - via SQL Injection, or through a backup found in the trash, or whatever - I do not want that person to immediately see what the user's passwords are, and so log in as if they were ".

According to the above description, ask yourself:

  • Is my application remotely accessible?

    If the answer is no , there is little point in having the passwords - save them in plain text. For those who have physical possession of the device does not need the password to access - and even modify - your SQLite database.

  • Is there a scenario in which unauthorized people can get a read (and read-only) copy of my database?

    I have difficulty imagining such a scenario. Maybe you loaned your phone to someone who was malicious, and that person found a vulnerability in your app and used it to get a copy of the bank? Without the first item of "remote access" this scenario seems a bit exaggerated ... See if you can think of any other.

    If such a scenario exists, then the ideal is to have a proper hash, in the correct way (see question linked at the beginning of this answer). In this case, you should not give the user the option to recover his password, but rather to reset it.

Password hash is not a panacea: it serves very specific purposes - 1) Protect the password itself (ie your system has already been hacked, it already was!) But you do not want the attacker take advantage of this to invade other systems in which the user reused the password); 2) Prevent a read vulnerability from escalating to a full write / access vulnerability.

If this answer did not resolve your inquiries, please provide a more detailed description of your threat model - describe what this password is, what it protects and how important it is that it protects, and what the consequences of it being "leaked"; cite the scenarios in which you expect that a hashed password would be better than a simply stored password, or other possibilities of misuse of your application that come to mind. Etc.

P.S. One last point, about "recover password / access by e-mail": on your mobile phone can you access your e-mail? No password required? Because the person who is in possession of it and is "barred" from accessing your application because of a password, can not simply ask to reset the password by email and then read on the device itself the response of that email ?

18.09.2014 / 09:52

First, change your hashing algorithm. MD5 is not recommended for passwords, and can be broken easily. Take a look at the SHA256, SHA512, BCrypt and BlowFish algorithms (I recommend the last two, the first two being very similar to MD5 but much stronger). Secondly, would not it be easier to reset the password than to retrieve it, since hashes are virtually irreversible? In practice, password recovery is a reset, so in password protected systems you do not recover your password, but rather redefine it. The reset can occur in two ways: either the system generates a new password and sends it to the user, or the system asks a security question defined by the account owner, so that if the question is answered correctly, the Password Reset. The second method is preferable in web applications because it is easier to interact with the user. My suggestion is to add a security question system or reset address, as E-Mail providers do.

18.09.2014 / 18:37

I found the answer, I will not accept my own answer because it was finalized thanks to the answers of g.carvalho97 and mgibsonbr, I am responding to just aggregate to the content for anyone who is in doubt as well.

I used BCrypt in password and password verification. The use of it is quite simple. On the BCrypt JAVA website you have an example and download link: BCrypt

If the user forgets the password, a password reset code is sent, this code is a sequence of automatically generated characters stored in memory for a while. The user informs this code in the application, then he will have access to the password reset!

As mentioned by mgibsonbr, it's not a totally secure solution, but it's what it's serving me for now.

19.09.2014 / 01:13