I’m trying to make an app where the user must log in with a name/pass combo. However, I’m not entirely sure where to check if the username/pass is valid.
Each time the app is run, should I refresh my copy of the database on the phone before showing the login screen? Or should I pull only after I’ve validated the login info (via a post sent over https?).
Also I’m wondering about the security of storing a part of the database that contains the username/password combos on the phone. If I hash the password repeatedly with a salt, is there a chance the username/password combo could be viewed easily? What hash algorithm is appropriate? (md5 is weak I’ve read, as is sha-1, but maybe with repeated iteration it could mitigate sha-1 weaknesses?).
Validate the login info (via some HTTP method) before you update the database. If you store any credentials in the phone’s DB’s, then someone who doesn’t hava a login can get access to your data with a rooted phone. Even if you hash the values, someone with a rooted phone can change what’s in the database etc..
SHA-2 with a salt is a good bet for security.