I am planning to store a password in my Native app (Android and iPhone). Should I store them after encrypting it ? or can I store it without any encryption? Are they really secure?
views:
80answers:
3
A:
I would store it encrypted. If someone would read your password he/she could simply use it. If it is stored encrypted, that person would need to decrypt it before usage.
Im0rtality
2010-08-03 09:36:07
Hi Im0rtality, Thanks for the response.I really don't know, how can a person read my password, that is stored in my device. Can you elaborate on it?
Krishnan
2010-08-03 09:44:49
Just like phooze and tomash said, with rooted device you can read sensitive files (for example file where you store your password).And if that file can be read anyone could get get access to password protected part of application.
Im0rtality
2010-08-03 09:55:14
A:
Stored passwords are not safe at all. Determined user can root it's device and access any database and preferences. If you encypt password, your application can be decompiled to get decode function or step-executed until decrypted password is stored somewhere in process memory.
It doesn't mean you shouldn't encrypt passwords - use any symmetric encryption and initialise key in some non-trivial way (i.e. arythmetic expression). This will prevent script-kiddies and casual programmers from reading passwords. Just remember if some really want them, he will get them anyway.
tomash
2010-08-03 09:41:48
+2
A:
Any jailbroken iPhone will give any user access to the application's Documents folder. So, yes, it's insecure.
Additionally, if you put the password inside the code, you're still weak, as someone can decompile the program and find the key. What I'd recommend is a proxy.
For example, we have an application that connects to Facebook's API on the phone. However, we don't want to store our Facebook API private key on the phone, because then any user who reverse engineers our code could hack our Facebook application!
So, instead, we store the Facebook private key on a (secure) proxy server. When the device needs to interact with Facebook, it contacts the proxy, asks the proxy to log-in, and then the proxy gives a session key to the device to use directly with Facebook.
Certainly, it's still hackable - but you won't lose your private key in the process, and instead, the only thing your user could do is do the same things you do in your proxy server API.
Could you give us a little more information about what you're trying to do?
phooze
2010-08-03 09:43:05
I wanted to store the user Name and password of a registered service in to the App I am planning to develop. Can you elaborate on proxy?
Krishnan
2010-08-03 09:59:04
Added some detail about proxies - depends what kind of service you are trying to connect to, but the basic concept is there!
phooze
2010-08-09 09:28:47
Hi Phooze,So you got any idea what twitter and facebook Applications use to store the password
Krishnan
2010-08-09 11:35:43