In You are storing application data using the Shared Preferences, maybe you should to know that Android stores all of your values in “plain text”, simply protected by the user-restricted file system on Android. If you gain root access to an Android device you have full read/write access to the application preferences of all of the applications installed.
Many applications store some kind of application secret (e.g. a communication token, last used account number) using SharedPreferences.
By using this class you’ll protect your preferences with a strong and proven symmetric cipher (AES) which will make it harder for anyone wishing to extract information from your application.
PS: This will not make your application bulletproof, just better :)
Example:
A regular shared preference file looks like this from adb shell:
|
1 |
cat /data/data/your.package.application/shared_prefs/prefs-test.xml |
|
1 2 3 4 |
<?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="hemmelighet">dette er en hemmelighet</string> </map> |
With encryption you get a less obvious version:
|
1 2 3 4 |
<?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="JopRH053b7Ogw17Yxmh7Og==">0AB7Y28XEvbQcnXpEZ4j9PtqzFLtm2V3KBXjTO1V704=</string> </map> |
The key is “hemmelighet” and the value is “dette er en hemmelighet”.
Usage:
|
1 2 |
// Init SecurePreferences preferences = new SecurePreferences(context, "my-preferences", "SometopSecretKey1235", true); // Put (all puts are automatically committed) preferences.put("userId", "User1234"); // Get String user = preferences.getString("userId"); |
Requirements and limitation:
Android API Level 8 (for Base64 support). Only strings put/gets are supported for now, this should cover most usages.
Plugin is hosted on Github.
https://github.com/sveinungkb/encrypted-userprefs
All codes and tutorials in the blog are based on his experience in the industry.
This is NOT encrypton, this is just base64-encoding. That won’t increase your security at all.