Skip to content
Android secure shared preferences using Android Keystore system
Branch: develop
Clone or download
Latest commit 27bde15 May 9, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
gradle/wrapper initialised project Jun 23, 2015
library updating to version 0.1.3 Feb 10, 2016
sample
.gitignore initialised project Jun 23, 2015
.travis.yml updated travis.yml to use android 23 Feb 10, 2016
LICENSE.txt docs and hardware back text Jun 25, 2015
README.md Update README.md May 9, 2019
build.gradle updating to version 0.1.3 Feb 10, 2016
checkstyle.gradle added basic login activity, theme, checkstyle Jun 24, 2015
checkstyle.xml added basic login activity, theme, checkstyle Jun 24, 2015
checkstyle_android_library.gradle added basic login activity, theme, checkstyle Jun 24, 2015
gradle.properties initialised project Jun 23, 2015
gradlew initialised project Jun 23, 2015
gradlew.bat initialised project Jun 23, 2015
libraries.gradle added obscuredsharedpreferences and keygenerator Jun 25, 2015
settings.gradle Added script to Upload to bintray and renaming Jun 26, 2015
test_script.sh travis config Jun 26, 2015
version.gradle updating to version 0.1.3 Feb 10, 2016

README.md

Build Status Android Arsenal

For securing your SharedPreferences information.

Why Secure SharedPreferences?

SharedPreferences are accessible to anybody if your device is compromised. It is recommended to obscure the information saved in SharedPreferences before you store them. One of the solutions is to encrypt the informaiton (See [ObscuredSharedPreferences] (library/src/main/java/in/co/ophio/secure/core/ObscuredSharedPreferences.java)). Still the key that is used for encryption can be recovered by a simple decompilation procedure if it is hard-coded in the app.

Solution

In addition to encrypting the information stored in SharedPreferences, store your encryption key in the [Android Keystore System] (https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore) by using our KeyGenerator

Android Keystore System

The Android Keystore system lets you store private keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the private key material remaining non-exportable.

The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).

Disadvantages of using Android Keystore System

If we create a key pair with the KeyPairGenerator and store it, then on changing the screen lock, our key pairs are deleted as the new Keystore is empty. See the following links for more details:

There are some changes to the Keystore in the new Android M Developer Preview regarding this mentioned here.

Download

Using Gradle:

compile "in.co.ophio:secure-preferences:0.1.3"

Using Maven:

<dependency>
  <groupId>in.co.ophio</groupId>
  <artifactId>secure-preferences</artifactId>
  <version>0.1.3</version>
</dependency>

Usage

	String key = KeyStoreKeyGenerator.get(getApplication(),
					KeystoreApplication.getAppContext().getPackageName())
						.loadOrGenerateKeys();
  • Obtain an instance of [ObscuredSharedPreferences] (library/src/main/java/in/co/ophio/secure/core/ObscuredSharedPreferences.java) using ObscuredPreferencesBuilder as follows:
SharedPreferences sharedPreferences = new ObscuredPreferencesBuilder()
                .setApplication(KeystoreApplication.getAppContext())
                .obfuscateValue(true)
                .obfuscateKey(true)
                .setSharePrefFileName(PREFS_NAME)
                .setSecret(key)		//secret key we generated in step 1.
                .createSharedPrefs();

Contributing

Before sending pull requests

  • Setup your Preferences -> File And Code Templates -> Includes -> File Header as follows:
/**
 * @author ${USER} (your email address)
 */
  • Run the following command on your computer.
./gradlew clean check connectedAndroidTest

License

Copyright 2015 Ophio.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

NOTE

The maintainer has very little time to work on it, so this is no longer actively maintained. Also note that the library has not been updated after Android version 23, so a few API's used in this library are now deprecated in new versions of Android and new security related changes are not available.

You can’t perform that action at this time.