Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
278 views
in Technique[技术] by (71.8m points)

web services - Android: Is it a good idea to store Authentication Token in Shared Preferences?

I have an application that communicates with a server. When the user logins to the application an Authentication Token is crated on the server and stored in the SharedPreferences of the application and whenever the application requests data from a web service the authentication token is validated.

My question is, is it secure to store the authentication token in the SharedPreferences? I'm asking because a user with root privileges can access the preferences, extract the token and use it.

Is there anyway to have more security in that regard?

question from:https://stackoverflow.com/questions/19669560/android-is-it-a-good-idea-to-store-authentication-token-in-shared-preferences

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

In short, yes, that's a perfectly reasonable thing to do.

The best you can do on top of that is obfuscation only. If you keep the token in memory, a root user can peek into that. If you encrypt it, you have to store the encryption key on the device also or you won't be able to use the token… and the key can be stolen just as easily as the token.

If someone has root on the device, all bets are off. Don't optimize for that case. If your app is super-duper high security, don't allow it to run on rooted devices, or implement a remote-wipe functionality where the user can report their device stolen and you can invalidate the token on the server.

Android 4.3 introduced the Android Keystore. That purportedly provides a secure store for cryptographic keys. This could be used to store a key that's used to decrypt an encrypted token stored with traditional methods. However, the referenced link gives no mention of how a rooted device impacts the security of this.

UPDATE 2018: Most modern Android devices have hardware-backed keystores, via a trusted execution environment (TEE) provided by the SoC. This makes it impossible (see below) for hacker to obtain the keystore master key that would otherwise be needed to decrypt the keys you've stored in the Android Keystore.

Well, "impossible" is a strong word. It's better said as "infeasible". Meaning, you'd need something like an electron microscope to scan the bits fused into the SoC providing the TEE. If you are the type of person whose data warrants this sort of attention, you probably have bigger problems.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...