How does the mobile APP Save the user password and the app saves the user password?

How does the mobile APP Save the user password and the app saves the user password?

<Span style = "font-size: 14px;"> for better user experience, mobile APP clients generally Save User information so that users can log on automatically later. </span>

After saving the user information, security issues are involved.

There are several solutions:

1. First, if you design and develop both the client and server, there are two reliable solutions.

A. the client encrypts the password Hash and saves the hash value to Sqlite after logon. the server obtains the username and hash value, uses the same algorithm to Hash the password, and then compares it with the hash value sent from the user. If the algorithm is the same, the logon is successful. it is more reliable to encrypt passwords with salt. for example, PBKDF2 can be used for salt encryption.

<span style="font-size:14px;">public static String createHash(String password)throws NoSuchAlgorithmException, InvalidKeySpecException {return createHash(password.toCharArray());}/** * Returns a salted PBKDF2 hash of the password. *  * @param password *            the password to hash * @return a salted PBKDF2 hash of the password */public static String createHash(char[] password)throws NoSuchAlgorithmException, InvalidKeySpecException {// Generate a random saltSecureRandom random = new SecureRandom();byte[] salt = new byte[SALT_BYTE_SIZE];random.nextBytes(salt);// Hash the passwordbyte[] hash = pbkdf2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);return PBKDF2_ITERATIONS + ":" + toHex(salt) + ":" + toHex(hash);}</span>

The encrypted string is 1000: 1507039de0a3c2c88ddf896233278e37d05fd8a0fadc570d: 99222374678d4afe5d7d9bf9be4786e17f045ac217c6a2ca,

1000 indicates the number of iterations, followed by salt and hash values.

After the server obtains this string, it parses the iterations, salt and hash1 values, and then calculates the passwords in the database using the same algorithm.

public static boolean validatePassword(String password, String correctHash)throws NoSuchAlgorithmException, InvalidKeySpecException {return validatePassword(password.toCharArray(), correctHash);}/** * Validates a password using a hash. *  * @param password *            the password to check * @param correctHash *            the hash of the valid password * @return true if the password is correct, false if not */public static boolean validatePassword(char[] password, String correctHash)throws NoSuchAlgorithmException, InvalidKeySpecException {// Decode the hash into its parametersString[] params = correctHash.split(":");int iterations = Integer.parseInt(params[ITERATION_INDEX]);byte[] salt = fromHex(params[SALT_INDEX]);byte[] hash = fromHex(params[PBKDF2_INDEX]);// Compute the hash of the provided password, using the same salt,// iteration count, and hash lengthbyte[] testHash = pbkdf2(password, salt, iterations, hash.length);// Compare the hashes in constant time. The password is correct if// both hashes match.return slowEquals(hash, testHash);}

If hash2 and hash1 are the same, the logon succeeds. At the same time, the client saves the encrypted string to the local database and reads it directly from the database upon next login.

B. Use asymmetric encryption algorithms to encrypt passwords.

Asymmetric encryption is reliable, and the password cannot be obtained even if the encrypted string is leaked.
2. If you are only responsible for the client and are powerless to the server, you may have to use symmetric encryption.(If you are writing a client for the school library and you want to set automatic logon, you can only use symmetric encryption locally to save the encrypted string to your local computer. Next time you log on automatically, retrieve the encrypted string from the database and decrypt it... the server only recognizes the original password.) in this case, you can only consider how to generate an encryption key, how to save the key, and how to confuse it. A method is considered: the encryption and decryption function DES (passwd, key, encode); str1 = DES (passwd, key, encode); str2 = DES (key, str1, encode ); when str1: str2. is saved in the local database, str2 decrypts str1 to obtain the key. then, str1 decrypts the key to get passwd. asymmetric encryption can only increase the password strength with this logic complexity.

Another reference: http://blog.csdn.net/hengyunabc/article/details/34623957