Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credentials should be stored in EncryptedSharedPreferences #95

Closed
ArnyminerZ opened this issue Dec 27, 2022 · 5 comments
Closed

Credentials should be stored in EncryptedSharedPreferences #95

ArnyminerZ opened this issue Dec 27, 2022 · 5 comments
Labels
refactoring Quality improvement of existing functions

Comments

@ArnyminerZ
Copy link
Member

Right now, credentials are being stored inside regular SharedPreferences in CalendarCredentials:

icsx5/app/src/main/java/at/bitfire/icsdroid/db/CalendarCredentials.kt

Lines 17 to 19 in 0b1443d

private val credentialPrefs = context.getSharedPreferences(PREF_CREDENTIALS, 0)

EncryptedSharedPreferences shall be used.

The change is quite simple, they provide a good example:

MasterKey masterKey = new MasterKey.Builder(context)
     .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
     .build();

 SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
     context,
     "secret_shared_prefs",
     masterKey,
     EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
     EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
 );

 // use the shared preferences and editor as you normally would
 SharedPreferences.Editor editor = sharedPreferences.edit();
@ArnyminerZ ArnyminerZ added the refactoring Quality improvement of existing functions label Dec 27, 2022
@ArnyminerZ
Copy link
Member Author

Note the warning on the docs:

The preference file should not be backed up with Auto Backup. When restoring the file it is likely the key used to encrypt it will no longer be present. You should exclude all EncryptedSharedPreferences from backup using backup rules.

This means that we should provide an option to authorize back again after a device factory reset, or backup restore. Should be taken into account with #4.

Also security-crypto shall be added as dependency:

implementation "androidx.security:security-crypto:1.0.0"

@rfc2822
Copy link
Member

rfc2822 commented Jan 23, 2023

When we have the database, I'd just store everything (including credentials) in the private DB. EncryptedSharedPreferences says that it doesn't work across system backup/restore on different devices, but this is a use case that is planned (#4).

Unfortunately we have to store the credentials in clear text for Basic authentication.

@ArnyminerZ
Copy link
Member Author

Then we should store the accounts in Room instead of shared preferences for #76. This means creating a new table, and getting rid of CalendarCredentials.

@rfc2822
Copy link
Member

rfc2822 commented Jan 23, 2023

Then we should store the accounts in Room instead of shared preferences for #76. This means creating a new table, and getting rid of CalendarCredentials.

Sounds reasonable :)

@ArnyminerZ
Copy link
Member Author

The migration and tests for this have been added to #92 😄

@ArnyminerZ ArnyminerZ closed this as not planned Won't fix, can't repro, duplicate, stale Jan 23, 2023
rfc2822 pushed a commit that referenced this issue Feb 25, 2024
@ArnyminerZ @sunkup @dependabot
Jetpack Compose Migration (#207)
d833b76 
* Note

Signed-off-by: Arnau Mora <arnyminerz@proton.me>

* Migrate to Kotlin DSL (#19)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>

* Upgrade all dependencies (#22)

* Upgrade to Android 14 (#21)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>

* Rewrite CredentialsFragment to compose (#26)

* Update import (#27)

* Update README.md

* Fix NPE on adding subscription (#33)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Arnau Mora <arnyminerz@proton.me>

* Make CredentialsFragment into a composable (#35)

* Using regular ubuntu image

Signed-off-by: Arnau Mora <arnyminerz@proton.me>

* Migrate SubscriptionSettingsFragment to compose (#29)

* Migrate `AddCalendarValidationFragment` to Jetpack Compose (#31)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Migrate `AddCalendarEnterUrlFragment` to Jetpack Compose (#38)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Migrate AddCalendarDetailsFragment to compose (#40)

* Upgrade AGP to 8.2.1 (#42)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Upgrade Kotlin, KSP, Compose and others (#43)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Migrate `AddCalendarActivity` to Jetpack Compose (#45)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Added missing line break (#52)

* Remove unused view and layout (#54)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Added Dependabot (#51)

* Bump github/codeql-action from 2 to 3 (#62)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump actions/checkout from 3 to 4 (#61)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump actions/setup-java from 3 to 4 (#58)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump joda-time:joda-time from 2.12.5 to 2.12.6 (#56)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump androidx.work:work-testing from 2.8.1 to 2.9.0 (#60)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using BOM for OkHttp and downgrade to stable (#64)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Migrate EditCalendarActivity to jetpack compose (#46)

* Bump actions/cache from 3 to 4 (#65)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump com.android.tools.build:gradle from 8.2.1 to 8.2.2 (#66)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump androidx.compose.runtime:runtime-livedata from 1.5.4 to 1.6.0 (#78)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump androidx.compose:compose-bom from 2023.10.01 to 2024.01.00 (#79)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump com.google.accompanist:accompanist-themeadapter-material from 0.32.0 to 0.34.0 (#80)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Arnau Mora <arnyminerz@proton.me>

* Bump gradle/gradle-build-action from 2 to 3 (#82)

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Arnau Mora <arnyminerz@proton.me>

* Fix: Can't add subscription after going back once (#83)

* Update ical4android and cert4android (#73)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>

* Cleanup of Dialogs (#67)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>
Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Bump actions/upload-artifact from 2 to 4 (#63)

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Arnau Mora <arnyminerz@proton.me>

* Migrate `DonateDialogFragment` to Jetpack Compose (#75)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>
Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Final layout cleanup (#68)

Signed-off-by: Arnau Mora <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Ensured toast error is never null (#91)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Crash when going back into `CalendarListActivity` (standard flavour) (#90)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Migrate ColorPickerActivity to Jetpack Compose (closes #53, #87) (#94)

* Bump androidx.compose:compose-bom from 2024.01.00 to 2024.02.00 (#96)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump androidx.compose.runtime:runtime-livedata from 1.6.0 to 1.6.1 (#95)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump joda-time:joda-time from 2.12.6 to 2.12.7 (#93)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Edit Subscription: requires-auth toggle and credential fields trigger save-dismiss mechanism (#92)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Arnau Mora Gras <arnyminerz@proton.me>

* Removed package definition from manifest (#101)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Bump com.maxkeppeler.sheets-compose-dialogs:core from 1.2.1 to 1.3.0 (#103)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Use compose theming engine, (drop compatibility MdcTheming etc) (#48)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Signed-off-by: Arnau Mora <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Migrated to Gradle Version Catalog (#99)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>

* Check if we can reuse more composables and improve project structure (#106)

* Bump aboutLibs from 10.7.0 to 10.10.0 (#108)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump org.jetbrains.kotlinx:kotlinx-coroutines-android from 1.7.3 to 1.8.0 (#110)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Migrate to Material 3 (#109)

* Bump compose-ui from 1.6.1 to 1.6.2 (#111)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump androidx.compose.material:material-icons-extended from 1.6.1 to 1.6.2 (#112)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump androidx.compose.runtime:runtime-livedata from 1.6.1 to 1.6.2 (#113)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Arnau Mora <arnyminerz@proton.me>

* Quickfix for pull to refresh (#114)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

* Fix warnings (#115)

Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>

---------

Signed-off-by: Arnau Mora <arnyminerz@proton.me>
Signed-off-by: Arnau Mora Gras <arnyminerz@proton.me>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Sunik Kupfer <kupfer@bitfire.at>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
refactoring Quality improvement of existing functions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rfc2822 @ArnyminerZ