I had been reading this http://developer.android.com/intl/es/training/articles/security-tips.html
Specifically this:
/******
Handling Credentials
In general, we recommend minimizing the frequency of asking for user credentials—to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.
Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.
Services that will be accessible to multiple applications should be accessed using AccountManager. If possible, use the AccountManager class to invoke a cloud-based service and do not store passwords on the device.
After using AccountManager to retrieve an Account, CREATOR before passing in any credentials, so that you do not inadvertently pass credentials to the wrong application.
If credentials are to be used only by applications that you create, then you can verify the application which accesses the AccountManager using checkSignature(). Alternatively, if only one application will use the credential, you might use a KeyStore for storage. /*******
Is it good idea to use "KeyStore", How can I access or use it in B4A?. I am not happy to put an example the password of my FTPs username and password only obfuscated in my code.
I am not willing to use Oauth o tokens etc for this scenario.
About KeyStore http://developer.android.com/intl/es/reference/java/security/KeyStore.html
and http://developer.android.com/intl/es/training/articles/keystore.html
Any light will be very appreciated, I had been reading in the forums, and apparently, all of us have the same concern.
Specifically this:
/******
Handling Credentials
In general, we recommend minimizing the frequency of asking for user credentials—to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.
Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.
Services that will be accessible to multiple applications should be accessed using AccountManager. If possible, use the AccountManager class to invoke a cloud-based service and do not store passwords on the device.
After using AccountManager to retrieve an Account, CREATOR before passing in any credentials, so that you do not inadvertently pass credentials to the wrong application.
If credentials are to be used only by applications that you create, then you can verify the application which accesses the AccountManager using checkSignature(). Alternatively, if only one application will use the credential, you might use a KeyStore for storage. /*******
Is it good idea to use "KeyStore", How can I access or use it in B4A?. I am not happy to put an example the password of my FTPs username and password only obfuscated in my code.
I am not willing to use Oauth o tokens etc for this scenario.
About KeyStore http://developer.android.com/intl/es/reference/java/security/KeyStore.html
and http://developer.android.com/intl/es/training/articles/keystore.html
Any light will be very appreciated, I had been reading in the forums, and apparently, all of us have the same concern.
Last edited:
