Securely Storing Credentials

Our app needs to ship with several usernames, passwords, and tokens for accessing other web based services. I have done quite a bit of googling on this but cannot figure out how to

Solution 1:

at the end of the day what you're packing in an .apk file is a Java bytecode that if you Google "reverse engineer java byte code" you'll tools and tutos on how to extract the information on that file. I can think of a few good practices that will help you make your app more secure depending how far you're willing to work on it:

• pro-guard: that one is a giving, use pro-guard!
• you can use little tricks to make stuff more complicate, to store all those Strings in an encrypted format and decrypt them on run time.
• as a nice add-on for the last point: on your Developer console, you'll find "YOUR LICENCE KEY FOR THIS APPLICATION". You can use that key to cript the information during development time, and during runtime acquire the value from Google Play to use it to decrypt. More info about it HERE
• This license key can also be used to verify app authenticity.
• You could also built those keys as a native library. Strings stored in C++ compiled code are way more complicated to crack than in bytecode.

all in all, might be a good read for you this link: http://developer.android.com/training/articles/security-tips.html

Solution 2:

Since it has to be decrypted for the application to use there is no way to securely do it, unless you have the person download the information after they install, but there will still need to be information to get to the data for the application to use it.

The most secure way, if you don't want to trust the user, is to have them send the request to your server, and then your server uses its own credentials to go to the website of interest and return the data back to the user.

This way the data stays protected in one place.

Otherwise someone can get to the credentials if they try hard enough.