UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    What's the best way to store a user password?

    Scheduled Pinned Locked Moved App Development
    14 Posts 8 Posters 586 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • arubislanderA Offline
        arubislander @gwado
        last edited by

        @gwado There is a nextcloud plugin in the Online Accounts setting. Could you not integrate your app with that?

        Here's some documentation to read up on about the Online Accounts[1]. It is still the old Canonical documentation, but I could not find the UBports mirror.

        1. https://phone.docs.ubuntu.com/en/platform/guides/online-accounts-developer-guide

        πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
        Happily running Ubuntu Touch
        Google Pixel 3a (20.04 DEV)
        JingPad (24.04 preview)
        Meizu Pro 5 (16.04 DEV)

        gwadoG 1 Reply Last reply Reply Quote 1
        • gwadoG Offline
          gwado @arubislander
          last edited by

          @arubislander the Nextcloud API does not allow you to retrieve Ampache/Subsonic identifiers from the Music application.

          arubislanderA 1 Reply Last reply Reply Quote 0
          • arubislanderA Offline
            arubislander @gwado
            last edited by

            @gwado Ah, Nextcloud music provides a Subsonic API. I was not aware.

            πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
            Happily running Ubuntu Touch
            Google Pixel 3a (20.04 DEV)
            JingPad (24.04 preview)
            Meizu Pro 5 (16.04 DEV)

            1 Reply Last reply Reply Quote 0
            • * Offline
              *mchub Banned
              last edited by

              Storing passwords in plain text isn’t ideal, even locally. Since you need to retrieve it later, you could encrypt it using something like AES tied to the username or device info. Also, make sure the file has strict permissions.

              Vlad NirkyV 1 Reply Last reply Reply Quote 0
              • Vlad NirkyV Offline
                Vlad Nirky @*mchub
                last edited by Vlad Nirky

                @mchub
                I use keepassxc and it works well.
                I share the database between all my devices.
                It's not working on Noble yet...

                AppLeeA 1 Reply Last reply Reply Quote 0
                • AppLeeA Offline
                  AppLee @Vlad Nirky
                  last edited by

                  Hi @Vlad-Nirky

                  OP wanted a secure way to store user's password for the app to use.
                  That's an issue with Ubuntu Touch as if a malicious actor can figure out the encryption method used and the key just by reading the sources.
                  A solution would require a way to encrypt the password and ensure that only the intended and unaltered app can access it.

                  Non trivial.

                  Vlad NirkyV arubislanderA 2 Replies Last reply Reply Quote 0
                  • Vlad NirkyV Offline
                    Vlad Nirky @AppLee
                    last edited by

                    @AppLee
                    Isn't it a problem for any operating system ?
                    I thougt that keepass provide API to access the password database.

                    AppLeeA 1 Reply Last reply Reply Quote 0
                    • arubislanderA Offline
                      arubislander @AppLee
                      last edited by

                      @AppLee Originally Online accounts could potentially be used for this. But I have never been able to figure out how to add a custom plugin for an app

                      πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                      Happily running Ubuntu Touch
                      Google Pixel 3a (20.04 DEV)
                      JingPad (24.04 preview)
                      Meizu Pro 5 (16.04 DEV)

                      1 Reply Last reply Reply Quote 1
                      • AppLeeA Offline
                        AppLee @Vlad Nirky
                        last edited by

                        @Vlad-Nirky said in What's the best way to store a user password?:

                        Isn't it a problem for any operating system ?

                        For proprietary OS, they can easily work around it by integrating a secret in the binary and only the authenticated user can make use of this secret to access sensitive data.
                        It's not the best, but it's pretty good.
                        Or they can rely on security cores to store all the user's secrets in it and grant access only to a trusted piece of code made by the developer of the OS then it's up to the OS to check the user's credentials before accessing the sensitive data.
                        This is widely used nowadays but do you trust the OS developer with your secrets?

                        A 1 Reply Last reply Reply Quote 0
                        • A Offline
                          adorsaz @AppLee
                          last edited by adorsaz

                          @AppLee another way for application developpers is by using the libsecret protocol to ask a user session service to store sensitive data. Gnome-keyring is such a service which creates by default a key store locked by the current user password.

                          IIIRC the KDE/plasma service is named kwallet.

                          Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

                          arubislanderA 1 Reply Last reply Reply Quote 0
                          • arubislanderA Offline
                            arubislander @adorsaz
                            last edited by

                            @adorsaz said in What's the best way to store a user password?:

                            Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

                            Ubuntu desktop also allows passwordless login. So that in itself is not the reason there is no implementation of libsecret on UT. The real reason is probably simply that none was implemented as yet.

                            πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                            Happily running Ubuntu Touch
                            Google Pixel 3a (20.04 DEV)
                            JingPad (24.04 preview)
                            Meizu Pro 5 (16.04 DEV)

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post