How to securely store access token and secret in Android?

by

Store them as shared preferences. Those are by default private, and other apps cannot access them. On a rooted devices, if the user explicitly allows access to some app that is trying to read them, the app might be able to use them, but you cannot protect against that. As for encryption, you have to either require the user to enter the decrypt passphrase every time (thus defeating the purpose of caching credentials), or save the key to a file, and you get the same problem.

There are a few benefits of storing tokens instead of the actual username password:

  • Third party apps don’t need to know the password and the user can be sure that they only send it to the original site (Facebook, Twitter, Gmail, etc.)
  • Even if someone steals a token, they don’t get to see the password (which the user might be using on other sites too)
  • Tokens generally have a lifetime and expire after a certain time
  • Tokens can be revoked if you suspect they have been compromised

More Related Contents:

  1. How to keep the OAuth consumer secret safe, and how to react when it’s compromised?
  2. How do I get the authorization code for uber oauth
  3. How to avoid reverse engineering of an APK file
  4. How do I prevent Android taking a screenshot when my app goes to the background?
  5. Android: Retrieving shared preferences of other application
  6. How to prevent Screen Capture in Android
  7. How to encrypt and decrypt file in Android?
  8. Referencing a string in a string array resource with xml
  9. How permission can be checked at runtime without throwing SecurityException?
  10. Android SharedPreference security
  11. Restrict API requests to only my own mobile app
  12. How to securely store credentials (password) in Android application?
  13. android: Determine security type of wifi networks in range (without connecting to them)
  14. OAuth secrets in mobile apps
  15. How to Secure Android Shared Preferences?
  16. Android Preferences: How to load the default values when the user hasn’t used the preferences-screen?
  17. Best way to secure Android app sensitive Data?
  18. Android: application-wide font-size preference
  19. How to use Google Login API with Cordova/Phonegap
  20. Make Android WebView not store cookies or passwords
  21. How to secure my app against piracy
  22. How to enable AutoStart option for my App in Xiaomi phone Security App programmatically in android
  23. How to prevent NFC tag cloning?
  24. Android: No Activity found to handle Intent error? How it will resolve
  25. Google Play security alert for insecure TrustManager
  26. Can SharedPreferences be shared among different Android applications?
  27. How to use an API from my mobile app without someone stealing the token
  28. How to manage installation from Unknown Sources in Android Oreo?
  29. Disabling of EditText in Android
  30. How can you display upside down text with a textview in Android?

Leave a Comment