Is there any secure storage in Android through Monodroid out of the box?

Question

Like many people - I am developing an app with a shared codebase (Windows Store + Android + MonoTouch + [later] WP8).

Also, as with many apps, I have local state that I need to persist for this app.

One piece of information I store is an authentication token for the signed-in user. On the Windows Store platform I have implemented the storage of this with a mixture of roaming settings (ApplicationData.Current.RoamingSettings) for the token's ancillary data (user name and issued date) and the PasswordVault for the actual token value. Thus the token is protected from OS-level introspection, because it is encrypted by the OS.

Now I'm implementing the same interface for my MonoDroid build, and I can't see any way, provided by the platform, to store data that can only be decrypted by my application - in the same way as the password vault can be used for Store apps.

As a result, at the moment, I'm simply using the Android.Content.ISharedPreferences interface via the Application.Context.GetSharedPreferences method to read and write these values.

So am I correct in my assumption that the platform (MonoDroid or Android) offers no secure storage OOB? Is the only alternative to implement encryption within the app - which will of course require baking the encryption key into the code? Or can I grab the certificate used to sign the app and use that as a key?

Ultimately it's not the end of the world if I can't encrypt this data, since the token is time-limited anyway - but it would be nice if I could actually do it properly!

Answer 1

You could use it with a combination of Keychain API (available in API level 14 onwards) and encrypting the data with Cipher API using the certificate from the Keychain api.

Take note: According to Android Security Overview document, there is no guarantees if the device is rooted: http://source.android.com/tech/security/index.html#rooting-of-devices