Hi Mike, Thanks for the advice... here are my answers.
> > 1. Are there e.g. onStartup() and onShutdown() per-application events, > > or similar, that I can hook into, to serve up a login dialog and set > > the login state in Preferences? If not, then how should I implement > > login? > > So, your first problem is conceptual. The idea of an "application" > isn't as well defined in Android as a desktop OS (deliberately). For > instance, it's pretty clear what happens when the user presses the > icon on the launcher or home screen - you display the login screen. > What if the user receives a call whilst using your app, and it > switches to the background? Does the user have to log in again when > returning? No, that makes no sense. What if they press home and do > something else for, say, 20 minutes - log in again then? Probably not. Ideally I'd like to give people the choice of (a) mild security - log in only when they first start the app, or (b) strong security - log in every time they switch away from it, for whatever reason. At a minimum I'd like to offer (a) mild security - log in every time the app is launched if it's not already running in the background. If there's no onStartup/onShutdown event, then I guess I can't store a boolean value for logged_in in the Preferences, since it'll persist. I could pass it in a Bundle back and forth between activities, which would die with the app. But how secure would that be? Could someone pass a Bundle to the activity automatically? > Could you describe why you want this in a bit more detail? Phones are > already protected by key locks, I don't see why you need a separate > login system for your app? Ah, it's because I've already released an app on the market and the #1 feature request from users is for a password. I know, I find it surprising too! I guess it must be either people who don't use a keylock most of the time, or who share a phone occasionally, or who are paranoid about other people reading their private stuff (it's a notebook app). > > 2. Assuming that I save the login state and the user's password > > (hashed with a salt) in Preferences, how secure will that be? > > That's impossible to answer because you did not describe what the > login is protecting. Saving a hashed password with a salt isn't really > secure because somebody can just decompile the apk to find out what > the salt is then brute force the result *if* the phone is rooted. If > it is not rooted they'd have to do that first. Thanks. Um, sorry for the naive question, how hard is it to root a phone? I just want to know what to say to users. Saying "your private details are secure from other normal users, but probably not if a determined hacker with root access steals your phone" would be fine. cheers Anna --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
