security - How to securely store credentials (password) in Android application?

Question

I want to store the password used for signing in a financial application that I am developing at a secure place. After doing some net surfing I found following options but each of them has certain drawback.

1) KeyChain.
Only available in OS version 4.

2) Shared Preferences.
It stores data in plain text even though if I encrypt the data then the encryption key can be compromised by decompiling the application code.

3) Access keystore daemon and store credentials in it.
(http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html) Requires another password to remember.

Please suggest me a better way to secure credential information in android application like IPhone KeyChain.

Answer 1

The is no equivalent of iPhone's KeyChain in Android currently. If you want to keep something secret, don't store it on the device. Or at least, don't store the key/password it is encrypted with on the device. Simple as that.

Additionally:

1) Even on ICS, you cannot use the KeyChain directly to store application secrets (see blog post in 3))

2) This is only a problem for rooted phones, or if someone has physical access to the device.

3) It is a lot better to remember a single password, protecting all of you credentials, than trying to remember multiple passwords. Additionally, on ICS, there is no separate password, the credential storage is protected by the device unlock password.