Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Native Development

Reply
Trusted Contributor
AllSystemGo
Posts: 140
Registered: ‎11-23-2010
My Device: Torch 9800
My Carrier: Rogers
Accepted Solution

Password question

Ok I have one advice I need form you guys. I'm currently creating my first bb10 app, and that app is targeting a webservice that needs a user and password to retrieve some JsonData. Right now my app is asking the user and password from the user and I would like to be able to keep that info so that the user doesn't have to enter his pwd all the time. Now I was wondering where should I be storing that info since it's sensitive ? I was thinking about hashing the pwd and putting it in the QSettings but I'm afraid it's not secure enough. Can anyone of you let me know of the best practices for that. 

 

Thank you.

Please use plain text.
Developer
peter9477
Posts: 6,473
Registered: ‎12-08-2010
My Device: PlayBook, Z10
My Carrier: none

Re: Password question

All the data your apps stores will generally be going into its "data" folder, and I believe this includes the QSettings data (unless you're somehow making that write elsewhere.) See https://developer.blackberry.com/cascades/documentation/device_platform/filesystem/index.html

This "sandbox" data area is well-protected from other apps, so only your own app can get to it. If your app is uninstalled, its sandbox data area is deleted as well. As of v2.0.1 even "app" backups, which include this data, are encrypted using a BBID-specific key to which the user has no direct access. (Only restoring to another PlayBook or BB10 device configured with the same BBID can ever restore the data, and even then it will still be accessible only to your own app.) See http://devblog.blackberry.com/2012/05/blackberry-tablet-os-piracy-protection/

Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.
Trusted Contributor
AllSystemGo
Posts: 140
Registered: ‎11-23-2010
My Device: Torch 9800
My Carrier: Rogers

Re: Password question

So your are telling that it's ok to save those sensitive data in my settings? And do you suggest encrypting the password or the encryption of the data would be enough?

Please use plain text.
Developer
peter9477
Posts: 6,473
Registered: ‎12-08-2010
My Device: PlayBook, Z10
My Carrier: none

Re: Password question

If you're dealing with sensitive data, in my opinion you need to become knowledgeable enough to decide that for yourself. I'm just trying to give you more knowledge to help you decide.

How would you propose encrypting the password? If you use an encryption key that's in your app, someone could simply pull that out of the code, if they can get it. Although there is currently thought to be no way to get the app code out of a backup, as there previously was, there are still several holes which allow piracy to continue with fairly little effort, so you can't consider your code to be 100% protected from viewing.

You say "or the encryption of the data would be enough?": I didn't say the data is encrypted, I said that *backups* of the data are now encrypted. The data on the device is unencrypted for now (but see below). As for whether either is "sufficient", that depends on what you're protecting against and how big the risk is.

You might want to restrict your app to those users who are running OS 2.1 (in beta) or later. That version adds encryption for the entire user partition, providing an extra degree of protection.

In the end, you have to decide how valuable the information is and what type of attack you're trying to protect it from. No mechanism is impenetrable in the face of a persistent and skilled attacker.

Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.
Trusted Contributor
AllSystemGo
Posts: 140
Registered: ‎11-23-2010
My Device: Torch 9800
My Carrier: Rogers

Re: Password question

ok I understand what you mean. Thank you

Please use plain text.