Menu
Im currently developing a framework for oAuth 1 and 2 access to webservices and my question is, how do i store sensitive data like an oAuth access key in a secure way? the problem with this keys is that some platforms like twitter use a permanent key and if someone would get access to this key he could do whatever he wants with the users twitter account..
so is it possible to automatically encrypt the data before it is stored in the shared preferences? Or is there a better way/place to store very important data?
UPDATE - ALSO READ: What is the most appropriate way to store user settings in Android application
680
Wraps the SharedPreferences class and automatically encrypts keys and values using a two-scheme method: Keys are encrypted using a deterministic encryption algorithm such that the key can be encrypted and properly looked up. Values are encrypted using AES-256 GCM and are non-deterministic.
No. It can be easily hacked. If you want to put any sensitive data in shared prefrence file you can encrypt the data and store. You can store your encryption key in NDK/server.
PrefKeyEncryptionScheme : The scheme to use for encrypting keys. EncryptedSharedPreferences.
Jetpack Security (JetSec) is a part of Android Jetpack. It provides abstractions for encrypting and decrypting SharedPreferences and Files. It also provides us with easy key management for the Android Keystore system. To use JetSec in our application you need to include it in your project first.
You can also have a look at this class I made for doing exactly this: https://github.com/sveinungkb/encrypted-userprefs
It uses AES instead of the deprecated and weak DES used in the other suggestion.
54
1). How to encrypt?
On Android the encryption is done via Java Cryptography Architecture (JCA). Mainly it is the javax.crypto.* package.
JCA Reference Guide
Here is an example of JCA API usage (AES alrorithm in particular).
2). Where to store?
Encryption API manipulates with byte arrays (not strings). This means you can use SharedPreferences, but you'll need to apply Base-64 encoding on the encrypted byte array before putting it into SharedPreferences (otherwise XML parser will fail to read the shared preferences file). Then to read you will need to use Base-64 decoding. Note that by default most Android OS versions do not have a built in Base-64 API (see UPDATE section). So to remove this Base-64 overhead I would recommend just to store your bytes in a private file.
UPDATE: Since API Level 8, the API has android.util.Base64.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
