What is the most secure way to authorize an user in Android?
In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this key.
My question is how to securely store this key? I have been storing it in SharedPreferences, but that does not sound very secure to me.
You are right using shared preferences is not the approach to follow. You should utilise Android Keystore System for any such purpose, it is preferred approach.
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
And KeyStoreUsage.java is the example for same.
Store in cleartext
Using cleartext means there is no protection to a user's runtime data assuming the hacker has physical access to the phone.
Store encrypted using a symmetric key
Developers are a helpful bunch and they often put the encryption keys in easy to find places like com.packagename.android.util.security. Using the
Android Keystore
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device.
Store encrypted using asymmetric keys
A safer asymmetric encryption option is to store the private key remotely.
Refer this article for more details
链接地址: http://www.djcxy.com/p/38162.html