Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove reference to EncryptedSharedPreferences #3158

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Remove reference to EncryptedSharedPreferences #3158

wants to merge 1 commit into from
+2 −26

Conversation

AndrewScull
Copy link

EncryptedSharedPreferences is from the deprecated [1] Jetpack security crypto library and, as such, should be avoided in discussion of data storage options on Android to avoid confusion.

[1] -- https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library

@AndrewScull
Remove reference to EncryptedSharedPreferences
e08d0f4 
EncryptedSharedPreferences is from the deprecated [1] Jetpack security
crypto library and, as such, should be avoided in discussion of data
storage options on Android to avoid confusion.

[1] -- https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library
@cpholguera
Copy link
Collaborator

Hello @AndrewScull, the library was last updated on January 29, 2025.

https://developer.android.com/jetpack/androidx/releases/security

@cpholguera cpholguera closed this Feb 15, 2025
@AndrewScull
Copy link
Author

There are non-crypto package in the library but the crypto package only contains deprecated classes. See the package at the commit corresponding to the latest update that you linked https://android.googlesource.com/platform/frameworks/support/+/8d4dee36b185eb647753338de4e161bebaeff24d/security/security-crypto/src/main/java/androidx/security/crypto

Here is the commit that deprecated it https://android.googlesource.com/platform/frameworks/support/+/3724241aab8a48dbfd5cc147869350fd6511bb97

@cpholguera cpholguera reopened this Feb 17, 2025
@cpholguera
Copy link
Collaborator

I see, interesting. Thanks for sharing, it seems that not only is this class marked as deprecated, but so is EncryptedFile.

However, Google still recommends it in the security documentation, and the API reference doesn't reflect that.

https://developer.android.com/privacy-and-security/security-best-practices#sharedpreferences

https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

Let me ask them directly and I'll get back to you when I have new information. I'll keep the PR open for now. Note that if we remove these references/recommendations, we'll need to explain it and also offer alternatives.

@cpholguera
Copy link
Collaborator

Google responded that this library was not actively maintained, hence it has been deprecated. Devs can still do this directly, but Google is considering how to replace it in the future to make it easier.

Deprecation is currently indicated here: https://developer.android.com/privacy-and-security/cryptography

We're going to keep the recommendation to the library but with a disclaimer.

@TheDauntless is gonna help you with the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheDauntless TheDauntless

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Android MASVS-STORAGE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AndrewScull @cpholguera