Fork me on Github

Shivam Verma
    Blog     Portfolio     About Me / Contact     Feed

Security.

Pushed a fairly major update to my github fork of Privly - Android. Users can now create new Privly Content and share it using any sharing option available on the device.

Here are a few screenshots :

Screenshot from 2013-08-15 14:41:35

One major feature that I’ve been working on for the past few days is implementing the Remember Me Option. The easiest way of doing this could be the way its implemented in the current code.

Something like :

if (rememberMeCheckBox.isChecked()) {
    Editor editor = settings.edit();
    editor.putString("uname", userName);
    editor.putString("pwd", password);
    editor.commit();
}

This makes it really unsecure though. Malware can hook up apis and retrieve the password if stored in plain text. What I could do is to hash the password using some hashing mechanism such as SHA512 (SHA256 is already considered a legacy in the security world ?). This is obviously better than Plain Text Passwords, however, the easy availability of lookup tables makes it pretty vulnerable to attacks. A more secure method will be use the Salt and Hash mechanism.

To Store a Password:

  • Generate a long random salt
  • concat(salt, password)
  • hash(concat(salt, password))

The salt and the hash are then saved in the user’s record.

To Validate :

  • Fetch salt from database.
  • generate (hash(concat(salt, password))
  • compare this hash with the one from the database.

This is exactly what happened with linkedIn. The SHA1 hashes in the user records were unsalted and its fairly easy to crack them if a user uses a dictionary password.

The Privly content server uses the devise library to salt and hash the passwords. I might be building upon it to use with Android towards the end of the program. As of now, we’ll be using an authentication token to validate a user’s request. This short lived token is generated everytime a user signs in and the user needs to authenticate once the token expires.

Next, I’ll be working on implementing the authentication mechanism followed by the settings panel. I also need to start working upon writing test cases for the methods. Hopefully, I’ll be done with these before the next update.

comments powered by Disqus