Menu
I know that I can set the values to be 'MODE_PRIVATE' and only my application/userId will be able to access them, however, is there any way for the user to access these at any point? So is it 'safe' to store these in Shared Preferences, or is there a better place?
Furthermore, if I later decide to expose some preferences for setting by the user, would I be able to hide these values?
Thank you.
Edit: I know about Internal Storage as well, but am wondering if I can achieve something simpler with Shared Preferences.
877
Shared Preferences are just a plain-text XML file stored in the application's data folder. This is not a secure location, by any means. It's quite easy to view these files and extract the tokens. You can still use the Shared Preferences but you need to encrypt the information you are storing. As for "Internal Storage", those share the same location with the "Shared Preferences", so they're still easy to view.
Your unencrypted data is safe from OTHER applications running in the phone, but not from malicious users.
192
Even if you store access tokens in the secure location on the device, you should think it can be revealed. That's why you shouldn't have client secret in your mobile application code. For access tokens, you can try to keep them secure, but you can't make it 100% secure. So you shouldn't get unnecessary scopes or unnecessarily long lifetime tokens.
ps. In general, mobile device uses "response_type=token (implicit grant)" and it shouldn't get refresh tokens. It depends on the authentication server's policy though..
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
