Android Token Management
Created at 2016-03-24 Updated at 2023-03-08 Category experience / work
I was working on a android project which was doing token based authentication. Implementing token based authentication on android was all new for me. In this application the android side was sending username and password in return it provides a token. This token than can be use further for authenticating user.
The issue that pop in was how to keep token safe at android side. We can keep the token in Shared Preferences. Those are by default private, and other application cannot access them. On a rooted devices, if the user explicitly allows access to some application that is trying to read them, the application might be able to use them, but you cannot protect against that. If you encrypt it, you have to store the encryption key on the device also or you won’t be able to use the token and the key can be stolen just as easily as the token.
If your application is super-duper high security, don’t allow it to run on rooted devices, or implement a remote-wipe functionality where the user can report their device stolen and you can invalidate the token on the server.Android 4.3 introduced the Android Keystore. That purportedly provides a secure store for cryptographic keys. This could be used to store a key that’s used to decrypt an encrypted token stored with traditional methods. However, the referenced link gives no mention of how a rooted device impacts the security of this.
Hope this information was useful!!