Secure Android SharedPreferences


Did you know the data stored in local storage or shared preferences can be hacked? What if the data stored is very confidential - can be user details, api keys or some other important data which you cannot afford losing.

Securing app’s data has become very important as they have become easy to exploit targets. Android Jetpack provides a Security library which can help secure the data.

Here are two simple classes which will help you secure your data stored in files and shared preferences. These classes are part of the Security Library of Android Jetpack.

EncryptedFile - To secure app's local storage files.
EncryptedSharedPreferences - To secure app's shared preferences.

In this blog we are going to talk about EncryptedSharedPreferences and how it is different from existing SharedPreferences class.

What is SharedPreferences?
A SharedPreferences object points to a file containing key-value pairs and provides simple methods to read and write them. Each SharedPreferences file is managed by the framework and can be private or shared. Check https://developer.android.com/training/data-storage/shared-preferences for details.

What is EncryptedSharedPreferences?
An implementation of SharedPreferences that encrypts keys and values. Wraps the SharedPreferences class and automatically encrypts keys and values using a two-scheme method:
  • Keys are encrypted using a deterministic encryption algorithm such that the key can be encrypted and properly looked up. It simpler terms keys are encrypted in a way that its cipher text will always have same value.
  • Values are encrypted using AES-256 GCM and are non-deterministic. It means every time values are encrypted it will provide different cipher text for higherl level of security.

Where does the system store share preferences? Check https://youtu.be/M3tGiWWZkIk video to know about where in the device share preferences are stored?

As seen in the video shared_prefs is the folder which contains all the files related to shared preferences. 

Let us check now how the content of share preferences files are updated based on what is used to create those files - SharedPreferences vs EncryptedSharedPreferences

Code using SharedPreferences





Content of XYZ.xml shared preference file we created using above code. You can see the content is easy to read and deduct.





Code using EncryptedSharedPreferences








Content of ABC.xml shared preference file we created using above code. You can see the content is encrypted and can be deducted directly.





Resources
This information is referred from https://developer.android.com/topic/security/data. For more details on how to use these in application can be referred using the same link.
Location: India

Comments

Post a Comment

Popular posts from this blog

Fragment Lifecycle

Image
Just like Activities, Fragments also manages its own lifecycle. Though these lifecycle callbacks are a bit different than activity’s callbacks they exist for the similar reason as that of activity’s callback. Fragment manages two different lifecycles. One for the fragment instance and other for the view shown in the fragment. Having different lifecycle for fragment’s view is useful in the situations where the work should be performed only when view exists. Points to note: Fragment lifecycle call-backs are similar to Activity’s lifecycle. More important they are dependent on Activity’ state. Fragment manages 2 different lifecycles - Instance and View. Fragment callbacks are: onAttach, onCreate, onCreateView, onViewCreated, onViewStateRestored, onStart, onResume, onPause, onStop, onDestroyView, onDestroy, onDetach Fragment state is saved before onStop for API level less than 28 while in API level 28 and above its saved after onStop method. i.e In API level 28 or above devices its safe to...
Read more

AndroidManifest

Image
One of the most important components of your project. Stays in the root directory of the project source. This is used to describe essential information about the app to Android Build Tools, Android OS and Google Play. Most important things for which AndroidManifest is used: To declare app’s package name: Used by Android build tools to map code entities and to map it with applicationId defined in build.gradle To declare different app components: Include all activities, services, broadcast receivers, and content providers To declare app permissions: Helps in accessing specific restricted by System or other apps. To declare hardware and software features: Used to decide which device can app be installed into Package name and application ID Example <?xml version="1.0" encoding="utf-8"?>        <manifest            xmlns:android="http://schemas.android.com/apk/res/android"           package="co...
Read more

Activity Lifecycle

Image
To let Android System interact with Application different methods are defined by the system which communicate different states of the activity to the application. Those methods/states are called as Lifecycle Callbacks. Activity can go into different combination of these states. In the code each callback is used to understand the state in which the activity is in and accordingly perform different operations. Let’s discuss different activity callbacks and what each of them represent in real life scenarios. You will find each section explained with the 3 labels. Let us see what each label represents: Called: It will tell you when is this method called. Implement: What should be implemented in this method. State: What is the state of activity from user's perspective.                         onCreate() Called: This is the first callback received in Activity which is called as soon as the system creates the Activity. Implement: Used ...
Read more