How mobile app saves user password

<span style= "FONT-SIZE:14PX;" > For a better user experience, mobile Appclient generally saves user information so that they may be able to log on themselves .</span>

Saving user information involves a security issue.

There are probably a few solutions:

1. First of all, assume that both the client and the server are you to design the development, then there are two more reliable solutions

A.client will PasswordHash encryption, after the successful login to save the hash value to SQLite. The server gets username and hash value, and uses the same algorithm to hash the password, then compare it with the hash value of the user. The login is successful. More reliable is to add salt to the password encryption. For example, it can be used to encrypt PBKDF2 and salt.

<span Style= "FONT-SIZE:14PX;" >public static string CreateHash (string password) throws NoSuchAlgorithmException, Invalidkeyspecexception {return CreateHash (Password.tochararray ());} /** * Returns A salted PBKDF2 hash of the password. * * @param password * The password to hash * @return A salted PBKDF2 hash of the password */public static stri Ng CreateHash (char[] password) throws NoSuchAlgorithmException, invalidkeyspecexception {//Generate a random Saltsecurerandom random = new SecureRandom (); byte[] Salt = new byte[salt_byte_size];random.nextbytes (salt);//Hash the PA Sswordbyte[] hash = PBKDF2 (password, salt, pbkdf2_iterations, hash_byte_size); return pbkdf2_iterations + ":" + tohex (salt ) + ":" + tohex (hash);} </span> 

The encrypted string is 1000:1507039DE0A3C2C88DDF896233278E37D05FD8A0FADC570D:99222374678D4AFE5D7D9BF9BE4786E17F045AC217C6A2CA ,

1000 is the number of iterations, each followed by a salt and hash value.

After the server gets the string, it parses the number of iterations, salt,hash1 the value, and then uses the same algorithm to calculate the password in the database.

public static Boolean ValidatePassword (string password, string correcthash) throws NoSuchAlgorithmException, invalidkeyspecexception {return ValidatePassword (Password.tochararray (), Correcthash);} /** * Validates a password using a hash.  * * @param password * The password to check * @param correcthash * The hash of the valid password * @return True if the password is correct, false if not */public static Boolean ValidatePassword (char[] password, String Co Rrecthash) throws NoSuchAlgorithmException, invalidkeyspecexception {//Decode the hash into its parametersstring[] params = Correcthash.split (":"); int iterations = Integer.parseint (Params[iteration_index]); byte[] Salt = Fromhex ( Params[salt_index]); byte[] hash = Fromhex (Params[pbkdf2_index]);//Compute The hash of the provided password, using the SA Me salt,//iteration count, and hash lengthbyte[] Testhash = PBKDF2 (password, salt, iterations, hash.length);//Compare th e hashes in constant time. The password is CorreCT if//both hashes Match.return slowequals (hash, testhash);} 

assuming HASH2 and HASH1 are consistent, the login succeeds. At the same time, the client saves the encrypted string to the local database and reads it directly from the database the next time it logs on.

B. Encrypt the password using an asymmetric encryption algorithm.

1. The client uses the public key to encrypt the password, obtains the encrypted string, and sends it to the server.
2. The server uses the private key to decrypt the password. For verification,
3. After the successful login, the client will save the encrypted string to the local, so that the next time you log in;

using asymmetric encryption is more reliable. Even if the encrypted string is compromised, it cannot be password.
2. Suppose you are only in charge of the client. There's nothing you can do about the server, so you could just use symmetric encryption. (if you are writing a client for the school library.) You also want to set up your own active login. Then you can only use symmetric encryption locally, and save the encrypted string locally. And then the next time you sign in. Remove the encrypted string from the database and decrypt ... The service side only identifies the original password) Such a situation. You can only consider how to generate encryption keys, and how to save the key, how to confuse. a method was considered: Add decryption Function des (passwd,key,encode); str1 = des (Passwd,key,encode); str2 = DES (Key,str1,encode); Save the STR1:STR2 in the local database. when decrypting, str2 the key with str1 decryption. and then. STR1 with key decryption get passwd.Asymmetric encryption can only add password strength in such a logical degree of complexity.
3. Use JNI Plus decryption.
another article:http://blog.csdn.net/hengyunabc/article/details/34623957

Analysis of string encryption and decryption using JNI in Android

Add salt password hash: How to use it correctly

How mobile apps Save users password