Generate quasi secure password on Android
Sometimes you have to use the generated password on the device.
This is generally not the best approach but if you have to then try to do it as good as it is possible.
This is my way to generate a random and quasi secure password on Android:
fun generatePassword(): String{
val androidId = Settings.Secure.getString(context.contentResolver, Settings.Secure.ANDROID_ID)
val applicationId = BuildConfig.APPLICATION_ID
val passPassphraseBase = "$applicationId_$androidId:"
val random = SecureRandom()
val salt = ByteArray(32)
random.nextBytes(salt)
val passPhrase = passPassphraseBase.toByteArray() + salt
val pass = Base64.encodeToString(passPhrase, Base64.NO_WRAP)
return pass
}
You can ask what for I need Application ID and Android ID.
Just to increase entropy (and maybe length) of our password.
Then I store this password encrypted in shared preferences.
I encrypt all shared preferences keys and values with the Keystore RSA algorithm.
After all, we end up with generated symmetric encryption password encrypted with asymmetric algorithm.
All of this is just white-box cryptography where we have our key and encrypted data stored in one place.
We can increase security if we add some external source for at least part of our password.
For that we can use:
- something from our backend
- user input or biometric
About The Author
Artur Latoszewski
On a mission to build great mobile products. Android Dev with a passion for business and management. Mobile phones are remote controls of our society. Let's do them right! Clean architecture fanatic, SOLID believer, Kotlin fanboy.