Apps How to store refresh token safely on Android Mobile

[Jiten Shah]

I need to use a REST API for accessing data. The REST API uses username and password for the initial authentication and then generates access token and refresh token which are forwarded to the Android client. Refresh token is used so that the user does not have to login everyday and it can be used to renew access token (short-lived) periodically.

My only concern is : if the phone is rooted and gets access to refresh token either from shared preferences or sql db --> the user can keep on generating the access token with help of refresh token and attack the server.

Is there a better way I can handle this situation ? I don't want user to login in every time he opens the app.

 

[Deleted User]

Difficult to stop. I would implement something on the server side to detect repeated or excessive uses of the token, and take measures to deny service to the sender.

 

[Jiten Shah]

Difficult to stop. I would implement something on the server side to detect repeated or excessive uses of the token, and take measures to deny service to the sender.

Thank you LV426. So, I can go with my approach of storing access token and refresh token on Android mobile and also implement the Server side intelligence to detect repeated or excessive use ?

 

[Deleted User]

Some more ideas here -

https://stackoverflow.com/questions...rely-store-access-token-and-secret-in-android
https://www.reddit.com/r/androiddev/comments/470h8a/what_is_the_best_way_to_store_an_auth_token_on/
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security
https://security.stackexchange.com/...-store-accesstoken-in-our-database-for-oauth2