Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Well, I would like to understand how I can hide precious data in my android app like passwords, so I have seen in rooted devices the users can find databases and SharedPreferences of the app. If I need to save any precious data in running time, how could I do it?
you can hash user password and then save it, when you want to verify entered password with primary password, you have to hash entered password and then compare it with primary hashed password. because when you hash a string, you can't retrieve it to first string. to hash a string use SHA1 or MD5 hashing Technics.
see
http://karanbalkar.com/2013/05/tutorial-28-implement-sha1-and-md5-hashing-in-android/
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am currently working on an app which will be used to send important messages as fast as possible to multiple people.
I found out that there is such a thing like firebase with which it is possible to send messages from a custom server to iOS and android devices.
But I need a solid and secure solution and firebase is therefore only my plan b. I would prefer a custom solution.
How can I achieve that a message will be sent to a client without firebase? I do not want the client to check for a new message every x seconds. That would be a waste of data. The triggering must come from the server. Can this be achieved using the observer pattern?
Firebase is a online datebase. If you try to choose a db for your app, you can choose insted MongoDB, which have a online version of db.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
How can I enforce new password rules (e.g. '12 chars minimum') on the backend, when the client sends up a one-way hash? If I used two-way encryption, the client would need the passcode, which seems to defeat the purpose. I'm using a salted hash in case someone intercepts the message, but couldn't they also intercept a passcode? This seems like a catch-22.
...but I can't think of anything better. I send down a one-time passcode (which I suppose is fairly safe over SSL), then decrypt the password on the backend and run my checks.
How do the experts handle this? Thanks in advance.
TLS is secure if you are using the up2date default policies.
It's not an issue to send over your passwords in clear text and hash them on the server. That's actually what most applications do, even big websites.
You can't enforce password rules on the backend when using a secure hashing algorithm such as argon2 already on the frontend.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
In my app, I use a rest API to connect to an online web service. For this, I use sensitive data like username password but also some keys. You can see the problem when someone decompiles my app and sees the sensitive data in my code. I am using Firebase in my app. My question is what the best way could be to store sensitive data. Remember that this is the same for all devices and the info would be around 5 strings. Things I have found online are: using Firebase Database with security rules (this would be ideal but I cant get it to work for only my app), using the last pixels of a picture to store strings. Specifically, I am using Salesforce as my web service.
Thanks in advance.
I would not use username/password for your app to connect to Salesforce. Use oAuth instead and then you don't need to worry about storing passwords. You can also look at encrypting the key fields using shared keys. Your Salesforce app can decrypt the data using the encryption classes OOTB.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
So, I'm using a simple, email/password authentication system and I wanted to know if there is a way to encrypt the information that I push there. If not how can I assure the user that their data is encrypted and their privacy is safe? Thanks for the answer!
No, you can't encrypt anything in Firebase Database. Google encrypts everything by itself and you don't need to care about hacker attacks. The only things you need to care about are the security rules and keeping your program, not too server or mobile dependent.
If you do want to assure your users that their information is completely private and only known to them, then you can manually encrypt the information. There are many encryption algorithms, but I would recommend the AES Algorithm, as it is fast and efficient. The encryption key can be stored locally on your device without having to transfer it to the server, ensuring the user's privacy.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
We should log post data or not, if not then why?
I did not get proper answer anywhere.
It is best not to log any events containing personally identifying information (PII) or security credentials, as that makes your log storage system a greater privacy and security liability than is strictly necessary.
For this reason, people frequently avoid logging the body of POST requests, as they might contain user's email addresses, passwords, user or internal API keys, etc.
However, you may safely collect such logs if you write application-specific rules to sanitize these log messages of sensitive information.