scottyab/secure-preferences scottyab/secure-preferences

  • This repository has been archived on 01/Mar/2022
  • Stars
    star
    1,531
  • Rank 29,550 (Top 0.6 %)
  • Language
    Java
  • Created almost 11 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
scottyab/secure-preferences
github

scottyab

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Android Shared preference wrapper than encrypts the values of Shared Preferences. It's not bullet proof security but rather a quick win for incrementally making your android app more secure.

Secure-preferences - Deprecated

  • Please use EncryptedSharedPreferences from androidx.security in preferenced to secure-preference. (There are no active maintainers Secure-preferences)

This is Android Shared preference wrapper that encrypts the values of Shared Preferences using AES 128, CBC, and PKCS5 padding with integrity checking in the form of a SHA 256 hash. Each key is stored as a one way SHA 256 hash. Both keys and values are base64 encoded before storing into prefs xml file. By default the generated key is stored in the backing preferences file and so can be read and extracted by root user. Recommend use the user password generated option as added in v0.1.0.

The sample app is available on playstore

Sample app Screenshot

Release v0.1.0+

The v0.1.0 release was a major refactor of the guts of secure prefs, which is Not backwards compatible yet with older 0.0.1 - 0.0.4 versions. So if you have an existing app using this don't upgrade. I'll be looking to add migration into a later release.

Full list of changes

Usage

Dependency

Maven central is the preferred way:

Note: v0.1.0 was dependent on snapshot of aes-crypto, this is only as I was waiting for the aes-crypto repo owner to upload to maven. I've sorted this for v0.1.1+ which is no longer dependent on Snapshot repo.

dependencies {
    implementation 'com.scottyab:secure-preferences-lib:0.1.7'
}

Download

Or download the release .aar or clone this repo and add the library as a Android library project/module.

ProGuard config

As of v0.1.4 no specific -keep config is needed.

DexGuard

There is specific DexGuard config supplied with DexGuard 7+ located <dexgaurd root>/samples/advanced/SecurePreferences

Examples

This will use the default shared pref file

SharedPreferences prefs = new SecurePreferences(context);

Custom pref file

You can define a separate file for encrypted preferences.

SharedPreferences prefs = new SecurePreferences(context, null, "my_custom_prefs.xml");

User password - (recommended)

Using a password that the user types in that isn't stored elsewhere in the app passed to the SecurePreferences constructor means the key is generated at runtime and not stored in the backing pref file.

SharedPreferences prefs = new SecurePreferences(context, "userpassword", "my_user_prefs.xml");

Changing Password

SecurePreferences securePrefs = new SecurePreferences(context, "userpassword", "my_user_prefs.xml");
securePrefs.handlePasswordChange("newPassword", context);

What does the data look like?

SharedPreferences keys and values are stored as simple map in an XML file. You could also use a rooted device and an app like cheatdroid

XML using Standard Android SharedPreferences

<map>
    <int name="timeout" value="500" />
    <boolean name="is_logged_in" value="true" />
</map>

XML with SecurePreferences

<map>
    <string name="TuwbBU0IrAyL9znGBJ87uEi7pW0FwYwX8SZiiKnD2VZ7">
        pD2UhS2K2MNjWm8KzpFrag==:MWm7NgaEhvaxAvA9wASUl0HUHCVBWkn3c2T1WoSAE/g=rroijgeWEGRDFSS/hg
    </string>
    <string name="8lqCQqn73Uo84Rj">k73tlfVNYsPshll19ztma7U">
        pD2UhS2K2MNjWm8KzpFrag==:MWm7NgaEhvaxAvA9wASUl0HUHCVBWkn3c2T1WoSAE/g=:jWm8KzUl0HUHCVBWkn3c2T1WoSAE/g=
    </string>
</map>

Disclaimer

By default it's not bullet proof security (in fact it's more like obfuscation of the preferences) but it's a quick win for incrementally making your android app more secure. For instance it'll stop users on rooted devices easily modifying your app's shared prefs. Recommend using the user password based prefs as introduced in v0.1.0.

Contributing

Please do send me pull requests, but also bugs, issues and enhancement requests are welcome please add an issue.

Licence

Much of the original code is from Daniel Abraham article on codeproject. This project was created and shared on Github with his permission.

Apache License, Version 2.0

Copyright (C) 2013, Daniel Abraham, Scott Alexander-Bown

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

The sample app Lock icon for sample app licenced under Creative Commons created by Sam Smith via thenounproject.com

More Repositories

1

rootbeer

Simple to use root checking Android library and sample app
Java
2,314
star
2

AESCrypt-Android

Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt
Java
639
star
3

showhidepasswordedittext

Show/Hide Password EditText is a very simple extension of Android's EditText that puts a clickable hide/show icon in the right hand side of the EditText that allows showing of the password.
Java
559
star
4

safetynethelper

SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.
Java
329
star
5

ssl-pin-generator

Simple jar to generate SSL pins based on a certificate's public key. Pins are base-64 SHA-1 hashes by default.
Java
93
star
6

androidkeystore

This started out as the sample project from Android sdk modified folder structure to for eclipse.
Java
53
star
7

HeartBeatView

Simple custom view of a beating heart using scaling animation.
Java
44
star
8

FuzzyDateAndroid

Create more relax human reabable dates and times just like twitter, stackoverflow.
Java
19
star
9

android-device-stats

Device Stats is a designs for people developing Android apps to quickly and easier see the exact specs of a device. Ideal for test devices where you aren't 100% sure on the resource qualifiers.
Java
13
star
10

android-environment-configuration-sample

Sample app used in blog post to illustrate a way of externallising config strings and adding DexGuard protection
Java
5
star
11

restart-counter-android

Simple app to count the number of restarts
Java
2
star
12

sample-location-based-image-tracker

Interview sample Location based image tracker that uses Flickr
Kotlin
1
star
13

meetup-java-client

Automatically exported from code.google.com/p/meetup-java-client
Java
1
star
14

EmbedExample

Standalone example app and library that used FatAAR plugin. Created to diagnose build issue we are seeing with production project
Kotlin
1
star