For securing your SharedPreferences
information.
Why Secure SharedPreferences
?
SharedPreferences
are accessible to anybody if your device is compromised. It is recommended to obscure the information saved in SharedPreferences
before you store them. One of the solutions is to encrypt the informaiton (See [ObscuredSharedPreferences
] (library/src/main/java/in/co/ophio/secure/core/ObscuredSharedPreferences.java)). Still the key
that is used for encryption can be recovered by a simple decompilation procedure if it is hard-coded in the app.
Solution
In addition to encrypting the information stored in SharedPreferences,
store your encryption key in the [Android Keystore System
] (https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore) by using our KeyGenerator
Android Keystore System
The Android Keystore system lets you store private keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the private key material remaining non-exportable.
The Keystore system is used by the KeyChain
API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).
Disadvantages of using Android Keystore System
If we create a key pair with the KeyPairGenerator
and store it, then on changing the screen lock, our key pairs are deleted as the new Keystore is empty. See the following links for more details:
There are some changes to the Keystore in the new Android M Developer Preview regarding this mentioned here.
Download
Using Gradle:
compile "in.co.ophio:secure-preferences:0.1.3"
Using Maven:
<dependency>
<groupId>in.co.ophio</groupId>
<artifactId>secure-preferences</artifactId>
<version>0.1.3</version>
</dependency>
Usage
- Generate a key using
KeyGenerator
:
String key = KeyStoreKeyGenerator.get(getApplication(),
KeystoreApplication.getAppContext().getPackageName())
.loadOrGenerateKeys();
- Obtain an instance of [
ObscuredSharedPreferences
] (library/src/main/java/in/co/ophio/secure/core/ObscuredSharedPreferences.java) usingObscuredPreferencesBuilder
as follows:
SharedPreferences sharedPreferences = new ObscuredPreferencesBuilder()
.setApplication(KeystoreApplication.getAppContext())
.obfuscateValue(true)
.obfuscateKey(true)
.setSharePrefFileName(PREFS_NAME)
.setSecret(key) //secret key we generated in step 1.
.createSharedPrefs();
- For more information on usage see the sample application implementation:
- For more information on library see the library page.
Contributing
Before sending pull requests
- Setup your
Preferences -> File And Code Templates -> Includes ->
File Header
as follows:
/**
* @author ${USER} (your email address)
*/
- Run the following command on your computer.
./gradlew clean check connectedAndroidTest
License
Copyright 2015 Ophio.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
NOTE
The maintainer has very little time to work on it, so this is no longer actively maintained. Also note that the library has not been updated after Android version 23, so a few API's used in this library are now deprecated in new versions of Android and new security related changes are not available.