I always wondered how native applications like the Dropbox client or any other native application with a serverside service implement the "keep logged in" feature securely.
- Do they store the users credentials? Or do the store a never expiring access-token?
- How are the credentials / access-token stored? They must be encrypted in any way.
- When encrypting the data, how is the key generated? A fix key wouln´t make much sence because the code could be reverse engineered.
Is there a best practice or industry standard for storing credentials / access-tokens securely?
Native apps can use built in secure storage to store OAuth tokens after login:
- Tokens are encrypted with a key that is private to the app and user
- They are stored in Operating System Secure Storage, eg Windows Credential Manager / MacOS or iOS Key Chain
- The refresh token can have a long lived expiry but it is not infinite
- Standard libraries usually do the lower level encryption work
The key benefit of course is that the user does not need to log in on every app restart. As an example:
The same principles apply to mobile: