Generate quasi secure password on Android

Sometimes you have to use the generated password on the device.
This is generally not the best approach but if you have to then try to do it as good as it is possible.
This is my way to generate a random and quasi secure password on Android:

fun generatePassword(): String{
     val androidId = Settings.Secure.getString(context.contentResolver, Settings.Secure.ANDROID_ID)
     val applicationId = BuildConfig.APPLICATION_ID

     val passPassphraseBase = "$applicationId_$androidId:"

     val random = SecureRandom()
     val salt = ByteArray(32)

     val passPhrase = passPassphraseBase.toByteArray() + salt

     val pass = Base64.encodeToString(passPhrase, Base64.NO_WRAP)

     return pass

You can ask what for I need Application ID and Android ID.
Just to increase entropy (and maybe length) of our password.

Then I store this password encrypted in shared preferences.
I encrypt all shared preferences keys and values with the Keystore RSA algorithm.

After all, we end up with generated symmetric encryption password encrypted with asymmetric algorithm.

All of this is just white-box cryptography where we have our key and encrypted data stored in one place.

We can increase security if we add some external source for at least part of our password.
For that we can use:

  • something from our backend
  • user input or biometric

Add a Comment

Your email address will not be published. Required fields are marked *