Sometimes you cannot avoid handling passwords in your application. When you do,
- keep them around as short as possible
- store them in data types that are not garbage collected
- wipe the storage as soon as you are done
In practice, this usually comes down to storing them as arrays (character or byte arrays), not strings.
This holds for many other platforms outside Java as well: strings are usually managed in one way or the other, so they cannot be wiped
References:
- [WayBack] java – Why is char[] preferred over String for passwords? – Stack Overflow
- [WayBack] What is the best way to store password in memory (RAM) in Java? – Information Security Stack Exchange
For actual storage of passwords, you always have the risk of retrieval: when a “bad guy” gets physical access to a device, it is basically hosed.
A KeyStore can only do so much against it: if your APK can be downloaded, it can be reverse-engineered revealing the exact steps how the store is accessed, reproducing the steps needed to hack into the underlying protected data/functionality.
- [WayBack] Using the Android KeyStore to store user authentication credentials – Stack Overflow
- [WayBack] Best place to store a password in your Android app
- [WayBack] Using AdroidKeyStore for secure user password storage
- [WayBack] security – How to store private key in android without pin code – Stack Overflow
- [WayBack] How to use the Android Keystore to store passwords and other sensitive information – Android Authority
- [WayBack] Using the Android Keystore system to store and retrieve sensitive information
- [WayBack] security – How to store Android KeyStore passwords securely – Stack Overflow
- [WayBack] Mobile App Security Basics – The Wanari Business Blog
- [WayBack] Java Examples for android.security.KeyPairGeneratorSpec
- [WayBack] AESSecureTokenStore.java example: com.couchbase.lite.auth
The keystore can be forgetful…
You’ve just moved in to a new house and have been given the master key for the front door. You only have one of these so you know you need to keep it safe. Your really paranoid so you hire an armed guard, whose sole job is to protect this key, in fact, this is all he has been trained to do and has a catchy slogan of “need to protect a key, its what I was born to do!”. You install an extra lock on your front door as you feel the bodyguard isn’t enough, this is a rough area anyway and who’s going to make sure no-ones about to break in and steal all your crap. You return to your key guard only to be informed he has thrown the key away. You shout and scream at him but he just blankly says “I don’t have it anymore, I didn’t think it was important”. You can’t contain your anger “What the hell, your a jerk! You had one thing to do and you failed, this causes me a lot of problems, why didn’t you tell me you might do this?! What do I do now?!”
[WayBack] Android Security: The Forgetful Keystore – SystemDotRun – Dorian Cussen’s Super Blog
–jeroen