I am currently working on an Android Application and I have no other choice to store some sensitive information like a username and a password in order to authenticate automatically a user.
I know that is a very very very bad practice, I since the server I use does not manage some token or this kind of things, I do not have other choices.
I heave read a lot of documentation and articles about the subject but I cannot decide how should I store these sensitive information.
I have 3 possibilities :
- using the Android AccountManager system
- using the Android Keystore system
- using the new Jetpack security component
The AccountManager system is not the best way because as the documentation said :
It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.
So I would like to store these sensitive information using the Keystore System or the new jetpack security component. But to be honest, I am not a security expert and I am not sure to understand which way is the more secure.
The new jetpack security component seems so easy to use according to the document.
Do you think that this new component is less secure that the Keystore system ?
Thank you in advance for your help !