I'm making an android application and currently, I have my server username and password written as constants in my code (which is not very secure). I have researched online but I couldn't really find something that would completely secure the password from the user or at least prevent from hackers. Could anyone help me out on how to securely store a password locally on android? Thanks!
It seems your question is actually "can I restrict server access to my application only?". This is not possible. Once an application or file exists on a client (eg. a user device), there's no sure-fire way to prevent that client from accessing anything in that application or file, with or without your authorization.
If the device can read it, then the device can read it - regardless of whether it's actually your application doing the reading, or something else pretending to be the application.
The most you can do is trying to obfuscate the credentials, but this is unlikely to be useful - those who might have an interest in extracting credentials from your application, will also likely be those who have the skills to bypass such obfuscation.
I can't really give you a more specific suggestion without knowing your usecase. For remote APIs, API keys are typically used - but this would require that the user create an account. For account-less applications, what you want is simply not possible.
I should also note that "preventing hackers" is not a meaningful goal - that can mean many things. You'll want to read up on how threat modelling works, and determine exactly who your 'attackers' are, what their goals are, and what their capabilities are. Only then can you try to find solutions against it.
EDIT: Just wanted to add an extra word of warning: anybody telling you that obfuscation is "effective" for these kind of scenarios, is trying to sell you something. Unfortunately they are generally rather successful in such attempts. The obfuscation model cannot and does not work.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments