The best way to answer the question is:
Do not store your password in the code as it will be easily read.
Of course a solution to your question also depends a lot on the service your application is connecting to... but starting from the point where you have access to the application and the server...
The path you want to follow besides needing encryption will clearly need to work with certificates, etc. Protecting your password is the least of the problems you will face in this journey, where the golden rule is ... never, but never store a password in the code when its security is a requirement.
Having said that, I want to point out that, from experience, the level of safety that you will certainly implement will be proportionally linked to the importance that the market/users place on its application. This is because for any of us who create applications the importance about our creation is always maximum.
Yet we often forget to look at the reality of it.
Realizing that I am looking for a technical answer to this problem and in order to be able to better help in this issue and within what it is implementing... I suggest several solutions... but all very questionable with regard to safety:
Obfuscate code
make the password as random as possible
use strong algorithms
etc, etc. etc..
Looking at your code snippet and realizing that you need to manage a password that will be used in the communication between two points in order to be as confidential as possible... and assuming that the password can be dynamic, and not imposed by the server where it connects and if the SSL expense is not of your best interest then why not use the SSL algorithm Diffie-Helman. That is, through the mathematical model it is possible to agree two points in a key to each new connection.
This way you will never need to save passwords. Warning: this algorithm is permissible for man-in-the-Middle attacks... and so once again ... SSL is required.
An Android application is made in Java. So, break and easy. 2 options: 1) create a piece of code in ARM 2) save the key on the PHP side. So, you want to connect? OK, PHP will send an SMS to you, with the key and vc will type the key in Android, key that will be recognized during (for example. ) 10 minutes.
– Peter
I don’t quite understand the purpose of the key, nor the encryption process. Is your concern about the security of communication? (use SSL) Or is it authenticating the user, i.e. each user will have a different key? (Store this key in the app’s private folder) Or something else? Symmetric encryption alone doesn’t do much, so I suggest you review your design. If you explain better what your main concern is I can give more details.
– mgibsonbr
My need is to develop an application that connects to a remote DB, which is part of a tour guide site, in this application I need the user to login using the same data of the site. So I thought of developing the API so that the APP would request and API would return the user values by JSON, and for that I thought of generating a string in Base64 or AES, the problem of this is that as there is no token or something like that, any user can reach the API and make any request through GET or POST.
– Rafael Alexandre