Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure are SQLite and SharedPreferences files on Android?

First, a bit of my background. I have been working on large web systems for over a decade, Android is something I have been looking at for the past two months; as you can imagine, the gap is quite wide :)

Looking at Android's Security and Permissions and Data Storage part of documentation, talking directly to developers, reading books and tutorials, it is pretty clear how entire model works. However, I was unable to find an answer whether SQLite and SharedPreferences files are secure enough to store delicate non-encrypted information (for example, OAuth tokens). Is it possible for someone to grab them in any way? Quoting Android's documentation:

Any data stored by an application will be assigned that application's user ID, and not normally accessible to other packages.

It's the not normally accessible part giving me additional grey hair :)

Thank you, helpful answers are appreciated :)

like image 614
David Kuridža Avatar asked Aug 31 '10 12:08

David Kuridža


People also ask

Is SQLite secure Android?

SQLite engine do not have built-in security to protect databases, rather, it relies on its environment such as the operating system to provide security for database content. While Android provides security mechanisms for SQLite databases, it has been shown to be inadequate.

Are SharedPreferences encrypted?

Wraps the SharedPreferences class and automatically encrypts keys and values using a two-scheme method: Keys are encrypted using a deterministic encryption algorithm such that the key can be encrypted and properly looked up. Values are encrypted using AES-256 GCM and are non-deterministic.

Are SharedPreferences a secure storage location?

No. It can be easily hacked. If you want to put any sensitive data in shared prefrence file you can encrypt the data and store.

What is the difference between SQLite and SharedPreferences in Android?

Shared preferences can only store key-value pairings whilst an SQLite database is much more flexible. So shared preferences are particularly useful for storing user preferences, e.g. should the app display notifications etc. Whilst an SQLite database is useful for just about anything.


2 Answers

Is it possible for someone to grab them in any way?

That depends on the someone. As Mr. Burov indicates, users of rooted phones can get at whatever they want. Ordinary users and other applications can't, by default.

It's the not normally accessible part giving me additional grey hair :)

By default, files are secure. You can make them world-readable or world-writable if you choose.

Wouldn't it be possible to decompile apk file and find encryption key as well in that case?

That depends on who you are defending against. If you are defending against other apps, have the user supply the encryption key. If you are defending against the user, you're screwed, just as all implementations of DRM are screwed.

like image 70
CommonsWare Avatar answered Oct 16 '22 15:10

CommonsWare


Well, there is a bunch of SharedPreferences editor apps on the market, so they're definitely not secure. Also on rooted devices database can pull off easily, since user have full access to the phones filesystem. Hence, if you want your app be totally secured, encrypt your data.

like image 22
Konstantin Burov Avatar answered Oct 16 '22 16:10

Konstantin Burov