My Android application uses a secret key to generate a token for authentication purposes. Is there a more secure way to store this than just putting this in the data store? I think for the iPhone, we store it in the keychain. I am aware of android.accounts.AccountManager, but this seems to give other applications potentially the ability to access the password (if the user selects the wrong option) and so seems less secure.
+1
A:
Android (unfortunately) does not provide a way to do so. The approach I've used before is to encrypt this token with another key generated within the app.
Your app key can be a function of the phone's IMEI. This, however, is only as secure as your function. Once that is known this is equivalent to storing the token in plain text.
Prashast
2010-04-20 03:42:18
I don't think that anyone would find it too hard to find the function if they really wanted to. However, this I suppose this is a lot more effort than just reading a plain text key
Casebash
2010-04-20 03:52:41
True. Its more security from obscurity than anything else. Another approach is to store the token encrypted using some user specified password. This is the safest, but, the user will have to authenticate themselves with the app everytime your app is launched.
Prashast
2010-04-21 00:35:39
+2
A:
You can store the key in the Preferences of your App. This will protect the key from getting read by other applications because of the underlying file system restrictions of the Android system.
But this won't protect the key from being read by the user itself.
Janusz
2010-04-20 07:34:14