I am making an Android app that needs to be very secure. For authentication to the server, it will use 2-factor authentication that includes:
- username/password
- sms verification
I can't use client certificates(with private keys), as in my case it wouldn't be practical.
Password will be stored securely on a server(probably hash and salt). But, I am having trouble figuring out the best way for password to be inputed on Android app which will be used as a client.
I am currently considering 2 options:
- Ask user for password every time he uses the service
- Save the password to phone DB and reuse it every time a user uses the service
The first option is good because the password is never stored on the phone(except temporary in RAM), but the password can be stolen if a device is compromised by a keylogger.
I read about ways to install a keylogger to an Android device, and I found out that the most common way is to make the victim install a custom keyboard that will be used for all apps.
This is explained by D.W. here: Keyloggers on Smartphones?
The second option is immune to keyloggers(except the first time user enters a password), but it has the risk of some malware dumping the database. I haven't found that much info about SQLite security on Android.
Also, the second option bears increased risk if someone gains physical access to the device. However, this risk can be lessend by using some kind of a pin code to protect the access to the app.
And the second factor of authentication(SMS in my case) can also be compromised, either by malware on the phone or by intercepting the SMS at the provider.
So, my question is: Is there a known way to dump a database of an app on an un-rooted android device, and what is the likelihood of that happening?