Currently, I develop an Android App needing online authentication for login (and registration). The main focus is on security. I’m amaing for:
- keeping the users’ passwords safe and
- preventing MITM attacks.
I studied a lot about different approaches[1][2][3]. My problem is now how to combine these ideas into one secure mechanism. To put it differently, have I overlooked something?
Long story short, I came up with the following:
The illustration you see shows the login process performed by the app’s background Service before it downloads notifications for this user. The idea is to send the hashed user password only once and then to work with a server-side generated authentication token which is kept in an encrypted KeyStore on the phone and renewed on every login process.
Further information: The app–server communication is done over HTTPS. The hash is a randomly salted bcrypt created on the phone. The database table consists only of id, username, hash, salt, authtoken.
What do you think about these considerations?
I am looking forward to your critism and feedback.
Qdeep
Some ideas were “stolen” in the The definitive guide to form based website authentication here on SO. Others found by searching for android secure authentication.
