I’m currently trying to build an authentication application in Android which stores users’ username and password in the memory. Since sensitive information is stored, it would have to be encrypted.
And also the point is that the user does not need to enter a password, I would like to make it such that there is no master password for the app, assuming that the handset is secure.
As such, the encryption key would have to be stored somewhere. My question is, is there any mechanism in iOS/Android that protects my encryption key from being read by a malicious application with root access?
EDIT: I think it should be possible since web browsers store passwords, and I haven’t heard a way to extract them.
NO, the user of your application has more control over the platform than you do. Or in this case if the phone was stolen, the new user has full control over the device. There is no place to hide a secret on any device. The same is true for desktop applications, mobile applications and web browsers.