Does the Android WebView encrypt saved passwords?
We have an app that we are looking to release that is just a WebView that points to our mobile site which is password protected. Currently we plan to allow users access to th开发者_开发技巧e "save password" functionality of the WebView but I'm not sure if that is safe.
If the password is not stored encrypted and securely, then we will have to simply deny access to that feature for now and develop a more long term solution later.
So, the question is, is saving a password via a WebView on android encrypted / secure?
No, it is not secure.
Password is stored in plain text (they are not even hashed!) in the database, so if a user has a rooted device (or uses an emulator) then he is able to get into the database and steal stored passwords for given sites.
I had similar problem with storing WebView passwords and I did it, but it required WebKit recompilation and usage of custom sqlitedb.so binary that has encryption enabled. I wouldn't recommend this if storing passwords is not the top use case for app you are developing. Too much effort with a little gain.
精彩评论