Thanks Kristopher. I don't fully understand how the AccountManager works. However I have read that the AccountManager stores all key information on disk. So a motivated attacker could 'root' the device and gain access to the 'master-hash'. I plan on giving the user an option to use the AccountManager.
It seems that I can achieve what I need by creating a Bound Service & a class that extends android.os.Binder . I don't need write AIDL. This is suitable for what I 'wanted'? On Tuesday, June 25, 2013 4:21:02 PM UTC+2, Kristopher Micinski wrote: > > Storing passwords in Android is a pain, and this might be a somewhat > acceptable solution. > > The one thing that sucks is that a foreground service will suck > battery. It would be more convenient to use the application accounts > and get a token from them. In short, you should be using the > AccountManager, since that's what this was designed for: > > http://developer.android.com/reference/android/accounts/AccountManager.html > > You're right in that a foregrounded service is much less likely to be > killed by Android, and since your app has a different UID you're > pretty safe. > > Say you do this and keep a foreground service, how are you going to > access it? AIDL with a permission that allows you access the hash? > In that case, you're just recreating the AccountManager :-). > > Kris > > > On Tue, Jun 25, 2013 at 9:38 AM, Micheal Swiggs > <bobby.s...@gmail.com <javascript:>> wrote: > > My app requires that the user enters in private personal information. > This > > information is used to generate a 'master' hash. The 'master' hash is > used > > to generate passwords. Rather than having the user enter their personal > > details every time they need a password, I wish to store the 'master' > hash. > > > > After looking at android storage options I was thinking of storing the > > 'master' hash in a foreground service. I am comfortable with losing the > > 'master' hash everytime the device shuts down or if the service is > shutdown. > > However, I believe that since it is a foreground service this is > unlikely to > > happen.... > > > > I believe.... that using the foreground service for this purpose as it > will > > be difficult to obtain the master hash if the device is stolen. Once the > > phone goes off the master hash is gone. Is what I believe true? Is there > any > > serious security flaws with this method? > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Android Security Discussions" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to > > android-security-discuss+unsubscr...@googlegroups.com<javascript:>. > > > To post to this group, send email to > > android-secu...@googlegroups.com <javascript:>. > > Visit this group at > http://groups.google.com/group/android-security-discuss. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
