• Stars
    star
    366
  • Rank 116,547 (Top 3 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Store strings & credentials securely encrypted on your device

Secure Device Storage - Android

Storing Credentials Securely on Android Devices

Actions Status Download Android Arsenal API License Open Source Love

Introduction

Storing credentials securely on a device is in many occasions necessary. You probably don't want to rely only on the separation of processes of the Android OS but make sure the stored values are also encrypted. To make that possible we have combined the Android Keystore and the SharedPreferences. The keystore is used for generating cryptographic keys, the values are then encrypted with these keys and subsequently securely stored in the SharedPreferences.

The secure part about this solution is that those generated keys are never exposed to the kernel when the device is equipped with a “Trusted Execution Environment”. A so called TEE is a secure area inside the main processor of a smartphone which runs code isolated from other processes. That means even if the device gets compromised or hacked those keys can’t be extracted. Already a lot of modern Android phones out there are equipped with a TEE (mostly because it’s often used to play DRM protected material) and it even is a requirement for Google’s Android Nougat certification — so every phone running Android Nougat and later will come with a TEE installed.

SecureStorage uses its own dedicated private SharedPreferences to prevent conflicts with other possible SharedPreference instances and ensure that the content of the SecureStorage can only be accessed from the app which uses this library.

Supported API's

Symmetric key generation and storage in the Android KeyStore is supported from Android 6.0 (API Level 23) onwards. Asymmetric key generation and storage in the Android KeyStore is supported from Android 4.3 (API Level 18) onwards.

To support more devices SecureStorage uses for now the asymmetric key generation, which in the case of storing simple credentials is very secure and the potential lack of speed in contrast to symmetric key generation, is not noticeable. Nevertheless, make sure to move the execution into a background thread as encryption does take a little time.

Usage

Add the library to your apps build.gradle:

implementation "de.adorsys.android:securestoragelibrary:${latestSecureStorageVersion}"

To store a string value in your SecureStorage you have to call:

SecurePreferences.setValue(context, "KEY", "PLAIN_MESSAGE")

This works for every other primitive data type. So for storing a boolean value:

SecurePreferences.setValue(context, "KEY", true/false)

for int

SecurePreferences.setValue(context, "KEY", 100)

for float and long

SecurePreferences.setValue(context, "KEY", 100.12345)

To retrieve a string value:

SecurePreferences.getStringValue(context, "KEY", ""/null)

And respectively for the other types

SecurePreferences.getBooleanValue(context, "KEY", false/true)
SecurePreferences.getIntValue(context, "KEY", 0)
SecurePreferences.getFloatValue(context, "KEY", 0F)
SecurePreferences.getLongValue(context, "KEY", 0L)

See if an entry exists in the SecurePreferences. Also returns false if the key pair does not exist:

SecurePreferences.contains(context, "KEY")

You can also remove an entry from the SecurePreferences:

SecurePreferences.removeValue(context, "KEY")

Clearing the SecurePreferences and deleting the KeyPair:

SecurePreferences.clearAllValues(context)

Everything about the cryptographic keys such as generating, maintaining and usage is handled internally by the module, so you do not need to worry about it.

If you want to keep track of changes in your SecureStorage you can register an OnSharedPreferencesChangeListener as follows:

val listener = SharedPreferences.OnSharedPreferenceChangeListener { _, key ->
    // check if the key is the one you are listening for and react
}
SecurePreferences.registerOnSharedPreferenceChangeListener(this, listener)

Unregister the listener as soon as you don't need it any more with

SecurePreferences.unregisterOnSharedPreferenceChangeListener(context, listener)

Error handling

The library throws for everything a SecureStorageException. Within the SecureStorageException you can find a exception type. You can handle the error which occurred with the help of this type as follows:

try {
    SecurePreferences.setValue(context, KEY, "Secret")
    // or
    val decryptedMessage = SecurePreferences.getStringValue(context, KEY, "")
} catch (e: SecureStorageException) {
    handleException(e)
}
//
private fun handleException(e: SecureStorageException) {
    Log.e(TAG, e.message)
    when (e.type) {
        KEYSTORE_NOT_SUPPORTED_EXCEPTION -> Toast.makeText(this, "Oh", Toast.LENGTH_LONG).show()
        KEYSTORE_EXCEPTION -> Toast.makeText(this, "Fatal - YARK", Toast.LENGTH_LONG).show()
        CRYPTO_EXCEPTION -> Toast.makeText(this, "2h&$==0j", Toast.LENGTH_LONG).show()
        INTERNAL_LIBRARY_EXCEPTION -> Toast.makeText(this, "Blame it all on us", Toast.LENGTH_LONG).show()
        else -> return
    }
}

Contributors:

@drilonrecica

@luckyhandler

Want to know more:

These links cover security aspect of the android keystore: https://developer.android.com/training/articles/keystore.html#SecurityFeatures https://source.android.com/security/keystore/ https://codingquestion.blogspot.de/2016/09/how-to-use-android-keystore-api-with.html http://nelenkov.blogspot.de/2012/05/storing-application-secrets-in-androids.html http://nelenkov.blogspot.de/2015/06/keystore-redesign-in-android-m.html http://www.androidauthority.com/use-android-keystore-store-passwords-sensitive-information-623779/

This link covers security aspect of the android storage: https://developer.android.com/guide/topics/data/data-storage.html http://stackoverflow.com/a/26077852/3392276

More Repositories

1

keycloak-config-cli

Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
Java
728
star
2

open-banking-gateway

Provides RESTful API, tools, adapters, and connectors for transparent access to open banking API's (for banks that support PSD2 and XS2A as well as HBCI/FinTS)
Java
251
star
3

xs2a

Open Source NextGenPSD2 XS2A Implementation from adorsys.
Java
134
star
4

YesWeScan

A library with a ready to use view controller for document scanning
Swift
100
star
5

sms-parser-android

Intercept a sms in your application
Kotlin
99
star
6

p2p-lending

A decentralized, smart contract based platform for p2p-lending on the Ethereum Blockchain
JavaScript
82
star
7

XS2A-Sandbox

Open Source PSD2-compatible banking system emulator solution from adorsys
TypeScript
62
star
8

fingerprint-android

Simple fingerprint integration into your Android app
Kotlin
60
star
9

ledgers

Simple Open Source implementation of a deposit account application (ASPSP core-banking) from adorsys
Java
56
star
10

datasafe

Secure, Encrypted and Versioned Data Storage Library
Java
51
star
11

xs2a-adapter

Java
38
star
12

multibanking

Java
27
star
13

psd2-accelerator

PSD2 Compliant Sandbox Implementing the XS2A API
Java
27
star
14

secure-token-service

Secure Token Service. Java implementation of OAuth 2.0 Token Exchange IETF draft
Java
25
star
15

keystore-management

Generate keys and keystores using fluent-like API instead of dealing with JCA intricacies
Java
20
star
16

encrypt-down

An abstract-leveldown implementation that wraps another store to encrypt the stored values.
JavaScript
18
star
17

xs2a-connector-examples

Open Source implementation of XS2A connector
Java
14
star
18

golang-chi-rest-db-oauth-sample

REST sample with all the stuff we use
Go
14
star
19

raml-springboot-example

RAML Spring Boot Example
Java
13
star
20

oauth2-pkce

Libraries for OAUTH2 PKCE
Java
11
star
21

oauth

oauth components for ee-server (currently only JBoss)
Java
7
star
22

keycloak-password-encryption

Java
6
star
23

SecureKeyStorage

Secure Key Storage for iOS
Swift
6
star
24

notification-service

notification-service
JavaScript
6
star
25

keycloak-ssi-deployment

Shell
6
star
26

beanval2json

Converts beanvalidation-annotations to JSON
Java
5
star
27

keycloak-oracle

Configuring keycloak-3.3.0.Final for oracle-xe
Shell
4
star
28

xs2a-client-adapter

Java
3
star
29

company-commute-flutter

This is a project demonstrating the power of Flutter taken a simple use case
Dart
3
star
30

summerparty-android

Android App for Summerparty adorsys
Kotlin
3
star
31

didcomm-mediator-rs

Simple mediator for DIDComm Messaging v2
Rust
3
star
32

hbci4java-adorsys

Java
2
star
33

aspsp-registry-manager

Java
2
star
34

sqrl-api

Java
2
star
35

forge-errai-plugin

JavaScript
2
star
36

bg-monitoring

Java
2
star
37

company-commute-backend

This is a prototype for using a dart backend given a simple use case
Dart
2
star
38

xlseasy

Java
2
star
39

secure-storage2-android

SecureStorage2 - Store strings & credentials securely encrypted on your device
Kotlin
2
star
40

tan-server

A generic TAN Server with support for SMS and Mobile Push TAN
Java
2
star
41

keycloak-registration-userlist

Keycloak registration form, to limit user registrations based on a pre-defined email list.
Java
2
star
42

psd2-oauth-service

Java
2
star
43

npm-jwk-generator

JavaScript
1
star
44

pushit

this library is a normalized wrapper over GCM and APNs
Java
1
star
45

amp

Adorsys Message Push CDI Component
Java
1
star
46

cryptoutils

Java
1
star
47

envutils

Java
1
star
48

keycloak-user-secret-adapter

Keycloak Plugins for injecting user secrets into access token
Java
1
star
49

ops-adorsys-kubernetes-platform

Infrastructure Setup of adorsys Test/Poc projects
HCL
1
star
50

multibanking-docusafe

Java
1
star
51

csi-coding-guidelines

This is a project to collect useful code snippets and sample configurations for mobile projects.
1
star
52

multibanking-lib-android

This is the android library which connects to the multibanking service of adorsys
Kotlin
1
star
53

secure-banking

Java
1
star