Saving your tokens — the right way

Many Android apps has users. They login, the own credentials
and unfortunately, their credentials are compromised.
The right way to store credentials in Android is using AccountManager.

Benefits:
* let the OS handle securing your credentials
* support multiple accounts if needed
* allow to share credentials cross apps from the same publisher (keystore)
* hold credentials after clear data
* Credentials are kept securely, even on rooted devices (unlike sharedPrefs, hidden files or database)

How it works:
AccountManager give you access to account data (key-value)
Accounts has type (company identifier) and could be fetched by type
Your access token should be saved using the AccoutManager

Step 1: declare your account in res/xml

Step 2: Declare account permissions, authentication service and login activity

Step 3: Declare your authenticator service. can be reached from
phone settings>accounts.

Step 4: Declare your CompanyAuthenticator
addAccount() will allow adding account from phoneSettings>account>new
getAuthToken() for getting our token.
* there are more options there. look at my github for more

Step 5: Add account to account manager after login
* I create account always with a token. it’s not mandatory, but simplify everything a lot

Summary:
Protect your users by using AccountManager to save your access tokens.
To speed up, you can load your credentials to the RAM by reading them only once from the account manager.
Take a look at my github project for more details
Good lock ❤

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store