flakes flakes - 4 months ago 24
Android Question

What to do with a password entry on screen rotate

In my application I have a fragment where the user enters a password. This fragment is able to rotate. On rotate I want most of the text fields to be saved and restored using

. Normally when I save a password to disk I use a one-way hash to limit the amount of damage which can be done if this info is compromised. However, if the password is only half written, then I can't do a oneway hash... it needs to be recoverable.

So my question: is putting a password in a
safe? Or should I simply destroy the value if the fragment gets destroyed? Is the following code a security risk for my users?

public override void OnSaveInstanceState(Bundle savedInstanceState)
savedInstanceState.PutString("passEditText", _passEditText.Text);

public override void OnActivityCreated(Bundle savedInstanceState)
if (savedInstanceState != null)
_passEditText.Text = savedInstanceState.GetString("passEditText", "");


Fragments have a SaveFragmentInstanceState method.

Save the current instance state of the given Fragment. This can be used later when creating a new instance of the Fragment and adding it to the fragment manager, to have it create itself to match the current state returned here.

Ref: Xamarin: SaveFragmentInstanceState Ref: Android: saveFragmentInstanceState


It is as secure, or insecure, as any object in memory, including the EditText that has the partial/full password within it. Do not serialize the bundle contents to disk or place secure info with a PersistableBundle as save it...