0

I am coding an Android Social Media app, The frame is in Java and the actual data is just a WebView of the mobile view of my social media site.

The question I have is how do I save a user's password, is there anything wrong with storing the user's password in plain text (Not hashed or anything) in a file since using Internal Storage on an Android device means only my app can access the files?

Also when displaying the user's data such as activity, profile data, and feed (Which is all a HTML webpage) would it be safe to code the website to take URLs like www.mywebsite.com/mobile.php?user=example&session=String Of Characters

Kingbluesapphire
  • 161
  • 10
  • 1
    Storing user's password as Plain text is always a security concern. A better approach is to store an AccessToken (like Cookie) on the device after verifying the user on the webserver. This access token can have a timeout, and everytime a user logs into the app again, simply check whether a token is present or not? If it is present, send the accessToken to the webserver to verify its integrity otherwise, display a login screen to the user with appropriate message. – Atish Agrawal Jul 06 '17 at 08:00
  • "is there anything wrong with storing the user's password in plain text?" - yes! – Matthias Seifert Jul 06 '17 at 08:48

1 Answers1

2

There is no issue in writing the password in SharedPreferences or internal storage as users can't access it until a device is rooted. The best approach is that you should save encrypted password or authToken instead but if you want to proceed with plain text password then apply a special check that if a device is Rooted then don't save password in plain way.

Usman Rana
  • 2,067
  • 1
  • 21
  • 32