I'm developing an android app using Firemonkey. This app makes requests to a WebApi using Rest and returning json result. The API is already developed and each request needs to send user and password as querystring to return data. My question is: what is the best way to save sensitive data in firemonkey (android). Of course using encryption to store such data is the first thing that comes to mind, but is there any native and secure feature for this on firemonkey?
Do not encrypt passwords, when the attacker gets the DB he will also get the encryption key.
Just using a hash function is not sufficient and just adding a salt does little to improve the security.
Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2
, password_hash
, Bcrypt
and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.
Do not send the user's password in the query string, with an HTTP connection it is in the clear, with an HTTPS connection it will be encrypted but probably end up in the server log files