What is the most secure way to authorize an user in Android?

In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this key.

My question is how to securely store this key? I have been storing it in SharedPreferences, but that does not sound very secure to me.


You are right using shared preferences is not the approach to follow. You should utilise Android Keystore System for any such purpose, it is preferred approach.

The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.

And KeyStoreUsage.java is the example for same.


  • Store in cleartext

    Using cleartext means there is no protection to a user's runtime data assuming the hacker has physical access to the phone.

  • Store encrypted using a symmetric key

    Developers are a helpful bunch and they often put the encryption keys in easy to find places like com.packagename.android.util.security. Using the

  • Android Keystore

    The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device.

  • Store encrypted using asymmetric keys

    A safer asymmetric encryption option is to store the private key remotely.

  • Refer this article for more details

    链接地址: http://www.djcxy.com/p/38162.html

    上一篇: 是否有可能在角度2+中进行条件内容投影(跨越)

    下一篇: 什么是在Android中授权用户的最安全的方式?