How to securely store a password in a mobile application

Question

I spent last days on reading articles and OWASP and this is the design I want to go. My app will save data in cloud. The password is not a trivial PIN so entering it everytime would be embarassing. The app is used often so I want to save the password.

My proposal follows. Please write your objections:

1. User enters the credentials
2. REST service authenticates the user and provides some kind of token valid for several hours
3. REST service provides a public key associated with this user
4. Mobile application encrypts the password with this public key
5. If the token expires the app sends username and encrypted password to the REST service
6. The REST service looks up the private key and validates the decrypted password
7. The REST service returns the current token

Backup REST service will use the token to authenticate the user. It may return the token expired error.

I bet two cents that this approach is safe for a non-banking application. Have I missed some hollow? The attacker can even have a root access, decompile the obfuscated application, modify binaries but he cannot get the password on a mobile device. Please comment even if you like the proposal so I get the positive feedback as well.

Resources:

• https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
• https://www.androidauthority.com/use-android-keystore-store-passwords-sensitive-information-623779/
• https://www.androidauthority.com/where-is-the-best-place-to-store-a-password-in-your-android-app-597197/

Answer 1

I would avoid storing the users credentials on the device, even if they are encrypted. It introduces some security risks and also some business logic you have to account for, specifically what will you do when the users changes their password? In the method you described, the application will continue sending the old password, encrypted with the users public key, and the authentication will fail.

I'd recommend using OpenID Connect and OAuth2. OpenID Connect will handle the authentication part and OAuth2 for the authorization. The OAuth2 spec has a concept of refresh tokens that can be used to renew an access token once it's expired.

The other benefit is you can delegate the authentication to services users are familiar with like Facebook, Google etc which can make for a better user experience.

There is some information on how to integrate with Google using OpenID Connect and OAuth2 here: https://developers.google.com/identity/protocols/OpenIDConnect. Other providers like Facebook have similar documentation. If you'd prefer to manage your own identities you can even use something like IdentityServer, http://docs.identityserver.io/en/release/