What is the most secure way to authorize an user in Android?

Question

In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this key.

My question is how to securely store this key? I have been storing it in SharedPreferences, but that does not sound very secure to me.

Answer 1

1. Store in cleartext

   Using cleartext means there is no protection to a user's runtime data assuming the hacker has physical access to the phone.

2. Store encrypted using a symmetric key

   Developers are a helpful bunch and they often put the encryption keys in easy to find places like com.packagename.android.util.security. Using the

3. Android Keystore

   The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device.

4. Store encrypted using asymmetric keys

   A safer asymmetric encryption option is to store the private key remotely.

Refer this article for more details

Answer 2

You are right using shared preferences is not the approach to follow. You should utilise Android Keystore System for any such purpose, it is preferred approach.

The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.

And KeyStoreUsage.java is the example for same.