/secure-preferences

Android secure shared preferences using Android Keystore system

Primary LanguageJavaApache License 2.0Apache-2.0

Build Status Android Arsenal

For securing your SharedPreferences information.

Why Secure SharedPreferences?

SharedPreferences are accessible to anybody if your device is compromised. It is recommended to obscure the information saved in SharedPreferences before you store them. One of the solutions is to encrypt the informaiton (See [ObscuredSharedPreferences] (library/src/main/java/in/co/ophio/secure/core/ObscuredSharedPreferences.java)). Still the key that is used for encryption can be recovered by a simple decompilation procedure if it is hard-coded in the app.

Solution

In addition to encrypting the information stored in SharedPreferences, store your encryption key in the [Android Keystore System] (https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore) by using our KeyGenerator

Android Keystore System

The Android Keystore system lets you store private keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the private key material remaining non-exportable.

The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).

Disadvantages of using Android Keystore System

If we create a key pair with the KeyPairGenerator and store it, then on changing the screen lock, our key pairs are deleted as the new Keystore is empty. See the following links for more details:

There are some changes to the Keystore in the new Android M Developer Preview regarding this mentioned here.

Download

Using Gradle:

compile "in.co.ophio:secure-preferences:0.1.3"

Using Maven:

<dependency>
  <groupId>in.co.ophio</groupId>
  <artifactId>secure-preferences</artifactId>
  <version>0.1.3</version>
</dependency>

Usage

	String key = KeyStoreKeyGenerator.get(getApplication(),
					KeystoreApplication.getAppContext().getPackageName())
						.loadOrGenerateKeys();
  • Obtain an instance of [ObscuredSharedPreferences] (library/src/main/java/in/co/ophio/secure/core/ObscuredSharedPreferences.java) using ObscuredPreferencesBuilder as follows:
SharedPreferences sharedPreferences = new ObscuredPreferencesBuilder()
                .setApplication(KeystoreApplication.getAppContext())
                .obfuscateValue(true)
                .obfuscateKey(true)
                .setSharePrefFileName(PREFS_NAME)
                .setSecret(key)		//secret key we generated in step 1.
                .createSharedPrefs();

Contributing

Before sending pull requests

  • Setup your Preferences -> File And Code Templates -> Includes -> File Header as follows:
/**
 * @author ${USER} (your email address)
 */
  • Run the following command on your computer.
./gradlew clean check connectedAndroidTest

License

Copyright 2015 Ophio.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

NOTE

The maintainer has very little time to work on it, so this is no longer actively maintained. Also note that the library has not been updated after Android version 23, so a few API's used in this library are now deprecated in new versions of Android and new security related changes are not available.