tags:

views:

624

answers:

2
+2  Q: 

How to secure passwords in Android Application

Many of my users have requested a password protection for various data elements in my database. Unfortunately, one of my existing features is backing up the database to a public location (SD Card) for data redundancy, so my database isn't secure.

So my question is two-fold.

  1. How can I encrypt or secure a database on android?

  2. How can I store user created passwords on the device in a secure, inaccessible way.

A: 

If you store data in via the preference store this data is only accessible for your application, if the android system is valid (not rooted, etc). Every app will get a own user for access on the file system and therefor the underlying linux system will prevent the other apps from reading these data stores.

I haven't work with the preference manager yet, maybe you will find an answer on how to use it in the documentation.

If you need the passwort to loggin in to an external web app and can't simply store a hash of the password there is a special mechanism used for example for the google authentications. You log in to the web app with username password and then the web app sends a security token to your device. This token can be saved and is valid for logging in for two weeks from this device. This can only work if you control some parts of the web app you are working with.

Janusz  2010-03-05 15:55:33
The preference store is a simple key/value dictionary, not a suitable backing for a database. Besides, the database files created by SQLLiteOpenHelper benefit from the same protection you described.
Segfault  2010-03-05 16:51:50
if you store the passwords in the preference store they are not stored in the db and the db can be written to the sd card without security concerns
Janusz  2010-03-05 17:45:04
I still need to secure the database even if the passwords aren't in there. Some of the data in the database will be specifically password protected by those passwords, so even if they are stored somewhere else, the data they are protecting still needs to be protected.
CodeFusionMobile  2010-03-06 14:50:08
+1  A: 

If you are using API version 5 or higher, you could integrate with the android.accounts.AccountManager.

Jared314  2010-03-07 01:41:18
I'm on API 3. I could upgrade, but would lose too many users for a feature not everyone would use.
CodeFusionMobile  2010-03-07 21:24:31

related questions

SQLite3::BusyException
How do I dump the data of some SQLite3 tables?
Database functionality with WPF app: SQLite, SQL CE, other?
SQLite UDF - VBA Callback
JavaScript sqlite
SQLite/PHP read-only?
Is there a MySQLAdmin or SQL Server Management Studio equivalent for SQLite databases on Windows?
What are the advantages of VistaDB
How Scalable is SQLite?
Programmatically access browser history
SQL Pagination
Metalanaguage to describe the Model from MVC to generate identical client and server side code
Java and SQLite
Is there a good IDE for SQLite ?
Does Visual Studio Server Explorer support custom database providers?
Objective-C: Passing around sets of data
What is the best way to connect and use a sqlite database from C#
Quick easy way to migrate SQLite3 to MySQL?
Why does sqlite3-ruby-1.2.2 not work on OS X?
T-Sql date format for seconds since last epoch / formatting for sqlite input
What's the best way of converting a mysql database to a sqlite one?
SQLite vs MySQL
Using SQLite with Visual Studio 2008 and Silverlight
Adobe Air - Using multiple SQLite databases at once
SQLite and XSD