-
Type:
Bug
-
Status: Closed
-
Priority:
TBD
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 2.6.2
-
Labels:
-
Complexity:Undetermined
Currently, the Android client provides no means of securing the user credentials when they login to the OpenMRS instance. The username and password is stored in SharedPreferences with no encryption, and so one could retrieve it from the Android phone and then the person would have access to the user's account.
We should increase the security of the login phase by encrypting the username + password, using bcrypt. BCrypt has a key advantage compared to SHA encryption methods which is that it comes with salt generation which should be used when encrypting the user's credentials.
References
jBCrypt library - http://www.mindrot.org/projects/jBCrypt/
