Like many people - I am developing an app with a shared codebase (Windows Store + Android + MonoTouch + [later] WP8).
Also, as with many apps, I have local state that I need to persist for this app.
One piece of information I store is an authentication token for the signed-in user. On the Windows Store platform I have implemented the storage of this with a mixture of roaming settings (ApplicationData.Current.RoamingSettings
) for the token's ancillary data (user name and issued date) and the PasswordVault
for the actual token value. Thus the token is protected from OS-level introspection, because it is encrypted by the OS.
Now I'm implementing the same interface for my MonoDroid build, and I can't see any way, provided by the platform, to store data that can only be decrypted by my application - in the same way as the password vault can be used for Store apps.
As a result, at the moment, I'm simply using the Android.Content.ISharedPreferences
interface via the Application.Context.GetSharedPreferences
method to read and write these values.
So am I correct in my assumption that the platform (MonoDroid or Android) offers no secure storage OOB? Is the only alternative to implement encryption within the app - which will of course require baking the encryption key into the code? Or can I grab the certificate used to sign the app and use that as a key?
Ultimately it's not the end of the world if I can't encrypt this data, since the token is time-limited anyway - but it would be nice if I could actually do it properly!
You could use it with a combination of Keychain API (available in API level 14 onwards) and encrypting the data with Cipher API using the certificate from the Keychain api.
Take note: According to Android Security Overview document, there is no guarantees if the device is rooted: http://source.android.com/tech/security/index.html#rooting-of-devices
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With