Reputation: 428
Storing a JWT on device to keep user logged in
I'm developing an android banking app and want users to stay logged in even after app is shut down. My idea to make this as secure as possible was to store a unique device id in the JWT and then extract the id from the token and compare it to the device id fetched from device at startup of app.
I would store the token in SharedPreferences, however, I just read that these device id's are not always unique due to people rooting they're phones. What would be the best solution? How can I be sure that the token I'm verifying at startup, is given to that user/device? I don't necessarily need to use device id's so any other secure option is welcome.
Upvotes: 0
Views: 342
Answers (1)
Reputation: 2839
I don't think it's a good idea to have a persistable login session inside something as sensitive as banking app, but if you insist:
Use SafetyNet Attestation API for checking if the device you're running your app on is rooted and if it is, prevent the user from interacting. Once you did that just use regular SharedPreferences with Mode.PRIVATE and no one should be able to read this data outside of your app.
Upvotes: 1
Related Questions
- Where to store a JWT token?
- How to store jwt in android app in right way?
- Store JWT token in shared preference? And retrieve value in whole app?
- How to store JWT and Refresh Tokens in a app or a browser?
- Android App Session + JWT in api good practice?
- How to keep an Android App logged in indefinitely with Spring Boot Server?
- Store JWT SigningKey in Java KeyStore
- Best way to use JWT and how to store the secret key
- JWT for Android with secret key
- JWT auth from android apps