How to securely store credentials (password) in Android application?

Question

I want to store the password used for signing in a financial application that I am developing at a secure place. After doing some net surfing I found following options but each of them has certain drawback.

1) KeyChain.
Only available in OS version 4.

2) Shared Preferences.
It stores data in plain text even though if I encrypt the data then the encryption key can be compromised by decompiling the application code.

3) Access keystore daemon and store credentials in it.
(http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html) Requires another password to remember.

Please suggest me a better way to secure credential information in android application like IPhone KeyChain.

Answer 1

Hashing is the solution don't store credentials as plain text in shared preferences or any medium.

Just salt and hash the password then you may proceed to store it in either sharedPreferences or some embedded db.

Here is how it works:

Online

1. The plain(unhashed) password is sent to server for authentication & authorization upon successful login.

2. The salt either can be generated and returned from server to client or can be generated at client

3. Then store it as salt and hash the password and store it.

Offline

1. We’ll hash the user entered password using the salt which we stored

2. We'll compare with the hash which we stored upon successful login

3. If both are equal then we’ll let the user in else we won’t let the user in.

Advantages:

1. So Now you don't have to worry about version compatibility.

2. Even If device is rooted it's so hard to brute force the hash.

3. Even if someone decompiles/cracks the app it's so hard to reverse engineer