4

I am building an Android password management app, where passwords are locally kept for security reasons. The network endpoints are only for creating an account, email verifications etc.

I want to handle a scenario where, if a user accidentally deletes the app and re-installs it, the local data is backed up for that account. Of course I don't want to implement a cloud backup here.

What is the most secure way to locally backup the data of passwords, only so that upon reinstalling the app and logging back in the data since backed up, it won't be lost? The data is with respect to a device only as in the data stored from a particular Android device.

CPlus
1,2291 gold badge12 silver badges35 bronze badges
asked Aug 26 at 4:06
3
  • 1
    this question might be relevant : stackoverflow.com/questions/42051255/… Commented Aug 26 at 10:40
  • 2
    Do you have no intenttion to care for the scenario where a user accidentally destroys or looses the Android device? Shouldn't the solution for the latter also solve the problem asked in this question? Commented yesterday
  • ... or in other words, you want security, but completely ignore the safety aspect? Seriously? Commented yesterday

2 Answers 2

1

Of course I don't want to implement a cloud backup here.

Why not?

What is the best way to (削除) locally (削除ここまで) and securely backup the data of passwords only so that upon reinstalling the app and logging back in the data since backed up , it won't be lost.

Cloud backup.

While an app can store stuff in a dataset in shared storage (see Ewan's answer), I'm not sure it's a good idea to use that for the backups, for two reasons:

  1. Things happen: apps get uninstalled and devices get lost, stolen or broken. And when somebody gets his smartphone stolen, the last thing he needs is an additional headache about all his passwords being definitively lost.

  2. If you discuss with your users, there is a strong chance that they would want not just a backup, but background synchronization. If I create a password on my tablet, I am expecting to see it on my smartphone as well, automatically.

answered Aug 26 at 6:11
9
  • I agree with your opinion. I think that the most important is to clearly explain to the user "If you click the backup button, your passwords will be stored in the wild." and then the user can choose how he will manage his data security. Commented Aug 26 at 6:39
  • so your saying even for a offline first password manager the best backup is cloud, so store passwords locally when you need a backup go to cloud ? Commented Aug 26 at 7:20
  • 1
    @mmm: define "in the wild." Backups of sensitive information should be encrypted. Commented Aug 26 at 8:01
  • @dev4Life: user data on Android devices is usually backed up in the cloud on regular basis anyway. Now, start with requirements elucidation, work with your users, define what they need exactly. Chances are that a user doesn't want backups, but synchronization. That is, if I store a password on my tablet, I expect to be able to read it on my smartphone later on, and I expect it to be automatic. Commented Aug 26 at 8:05
  • 1
    yeah, I've put an answer in, but overall i share your view about the overall advisability of the idea. It seems like just using the app data storage + automatic android backup is simple and secure Commented Aug 26 at 14:52
0

Vibe coding here, but..

You can save files to one of the shared storage locations, or external storage.

https://developer.android.com/training/data-storage/shared/documents-files

This wont be deleted if the app is uninstalled. But presumably you will want to encrypt the file and so you have the same problem with the encryption key

You do mention logging in and accounts, so do you store the encryption key in the cloud?

If so then on a reinstall the user can log into their account, download the key and decrypt the file from shared storage.

But your question had three parts. The backup must be :

  1. The BEST
  2. Local
  3. Secure

I'm just "vibing" here as the kids say, so I don't know if this is the "BEST" the downside is that other apps will be able to access the file. You are giving up on the OS security for app only access to its own data.

Tick the local requirement. But this wont stop users deleting it or factory resetting their phones.

It's less secure than using the app specific storage. You will have to weigh that against it not being online.

answered Aug 26 at 10:54
2
  • 2
    Clarification: "vibe coding" as a term is generally used for the process of sitting down with a GenAI program and having it do all the work to create a (program, feature, bug, etc) Commented Aug 27 at 19:46
  • yes, here im using it in a broader sense of "making it up as i go and not testing" Commented Aug 27 at 22:16

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.