Recently I found many Android apps using shared preferences for persistent login, such app requires user name and password from the user to login for the first time, but from then on requires no additional actions from the user.
In rare cases, that app will store the password in the file like login_account.xml of the shared_prefs folder, once the user rooted his Android phone, other evil app may read this file to get the user’s password.
In most cases, I found that the apps will store a login key(not password) in the login_account.xml of the shared_prefs folder, it seems to be secure because the evil app cannot steal the password. But it can still get the login status of the victim because he can replace his login key with the victim’s.
I am wondering if there’s some way that can both protect our users from login key been stolen and do not requires our users to input his password to load our app each time?
Devices are inherently unsecure so no matter what you do, there will always be a possibility for “Evil Guy” to do something. There is absolutely no solution to that.
You can, however, mitigate the risks somewhat by doing what Chirag Raval suggests : only store the login and the fact that it was successful.
I would add to that to only ‘auto’-login for a limited time and then show the login dialog again to reconfirm the password.
You can make it a little more secure by generating a signature of your phone, sending it upon the first login and have the server send a response string which you can use to login subsequently. It would be somewhat secure by the fact that it would be very hard to guess , it would not work on another phone and it still requires the password. To generate such a signature, I would concatenate lots of field values from the Build class, the phone’s id and possibly values obtained in TelephonyManager (home network), then generate a digest from that. The most secure way to do it is to use an SHA-1 HMAC (look at the Bouncy castle library).
Of course, this all breaks down against a dedicated adversary : he can attach a debugger to your app, trace all its calls and figure out the algorithm for the signature. That’s because the device is unsecure as I wrote at the top. (PS: this actually happened to me while a client was testing the security of an app).