How to Secure Android Shared Preferences?
The common location where SharedPreferences are stored in Android apps is:
/data/data//shared_prefs/
-
Google has released
EncryptedSharedPreferencesas part of it's androidx, I believe this should be the preferable way of encrypting the preferences.See https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences
讨论(0) -
You need to handle Verison under API 23
private static SharedPreferences getSharedPreferences(Context mContext) throws NullPointerException { if (android.os.Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) { String masterKeyAlias = null; try { masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC); sharedPreferences = EncryptedSharedPreferences.create( "secret_shared_prefs", masterKeyAlias, mContext, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM ); } catch (GeneralSecurityException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } } else { sharedPreferences = mContext.getSharedPreferences(tag, Context.MODE_PRIVATE); } return sharedPreferences; }讨论(0) -
Complete answer (api level 23+). First you need crypto from androidx.
implementation "androidx.security:security-crypto:1.0.0-alpha02"Care : there is a significant performance difference between SharedPreferences and EncryptedSharedPreferences. You should notice that EncryptedSharedPreferences.create(...) is not so fast so you should have to store one instance at all.
Then you have to use this to retrieve EncryptedSharedPreferences.
public SharedPreferences getEncryptedSharedPreferences(){ String masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC); SharedPreferences sharedPreferences = EncryptedSharedPreferences.create( "secret_shared_prefs_file", masterKeyAlias, context, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM ); return sharedPreferences; }The you just have to use preference like the "standard way". To save it :
getEncryptedSharedPreferences().edit() .putString("ENCRYPTDATA", text) .apply()To retrieve preference value.
getEncryptedSharedPreferences().getString("ENCRYPTDATA", "defvalue")讨论(0) -
Kotlin example for dual purpose encrypted & unencrypted shared preferences using anrdoidx's security-crypto library (min API 23).
- Decent introduction to EncryptedSharedPreferences: garageprojects.tech/
I use Dagger2 to inject this as a @Singleton where needed.
Use the @Name annotation in your Dagger Modules to differentiate between the SharedPreferences instances and you can have 2 separate .xml files (1 encrypted, 1 unencrypted) to read/write to/from.
- Decent introduction to Dagger2: codinginflow.com
- Dagger Module & field injection example for the following code: stackoverflow.com
Add to dependenies in build.gradle:
implementation "androidx.security:security-crypto:1.0.0-beta01"
import android.content.Context import android.content.SharedPreferences import androidx.security.crypto.EncryptedSharedPreferences class Prefs(prefsName: String, context: Context) { private lateinit var ANDX_SECURITY_KEY_KEYSET: String private lateinit var ANDX_SECURITY_VALUE_KEYSET: String private lateinit var cntext: Context private lateinit var prefName: String private lateinit var prefs: SharedPreferences constructor( prefsName: String, context: Context, masterKeyAlias: String, prefKeyEncryptionScheme: EncryptedSharedPreferences.PrefKeyEncryptionScheme, prefValueEncryptionScheme: EncryptedSharedPreferences.PrefValueEncryptionScheme ): this(prefsName, context) { ANDX_SECURITY_KEY_KEYSET = "__androidx_security_crypto_encrypted_prefs_key_keyset__" ANDX_SECURITY_VALUE_KEYSET = "__androidx_security_crypto_encrypted_prefs_value_keyset__" cntext = context prefName = prefsName prefs = EncryptedSharedPreferences.create( prefsName, masterKeyAlias, context, prefKeyEncryptionScheme, prefValueEncryptionScheme ) } init { if (!::ANDX_SECURITY_KEY_KEYSET.isInitialized) { prefs = context.getSharedPreferences( prefsName, Context.MODE_PRIVATE ) } } companion object { const val INVALID_BOOLEAN: Boolean = false const val INVALID_FLOAT: Float = -11111111111F const val INVALID_INT: Int = -1111111111 const val INVALID_LONG: Long = -11111111111L const val INVALID_STRING: String = "INVALID_STRING" val INVALID_STRING_SET: Set<String> = setOf(INVALID_STRING) } /** * OnChangeListener * */ fun registerOnSharedPreferenceChangeListener( listener: SharedPreferences.OnSharedPreferenceChangeListener) = prefs.registerOnSharedPreferenceChangeListener(listener) fun unregisterOnSharedPreferenceChangeListener( listener: SharedPreferences.OnSharedPreferenceChangeListener) = prefs.unregisterOnSharedPreferenceChangeListener(listener) /** * Read Shared Prefs * */ fun contains(key: String): Boolean = prefs.contains(key) fun getAll(): Map<String, *> = prefs.all // Returns null if the Boolean value is not in // Shared Preferences fun read(key: String): Boolean? = if (contains(key)) { read(key, INVALID_BOOLEAN) } else { null } // Boolean fun read(key: String, returnIfInvalid: Boolean): Boolean = prefs.getBoolean(key, returnIfInvalid) // Float fun read(key: String, returnIfInvalid: Float): Float = prefs.getFloat(key, returnIfInvalid) // Int fun read(key: String, returnIfInvalid: Int): Int = prefs.getInt(key, returnIfInvalid) // Long fun read(key: String, returnIfInvalid: Long): Long = prefs.getLong(key, returnIfInvalid) // Set<String> fun read(key: String, returnIfInvalid: Set<String>): Set<String>? = prefs.getStringSet(key, returnIfInvalid) // String fun read(key: String, returnIfInvalid: String): String? = prefs.getString(key, returnIfInvalid) /** * Modify Shared Prefs * */ fun clear() { if (::ANDX_SECURITY_KEY_KEYSET.isInitialized) { val clearTextPrefs = cntext.getSharedPreferences(prefName, Context.MODE_PRIVATE) val keyKeyset = clearTextPrefs.getString(ANDX_SECURITY_KEY_KEYSET, INVALID_STRING) val valueKeyset = clearTextPrefs.getString(ANDX_SECURITY_VALUE_KEYSET, INVALID_STRING) if (keyKeyset != null && keyKeyset != INVALID_STRING && valueKeyset != null && valueKeyset != INVALID_STRING) { if (!clearTextPrefs.edit().clear().commit()) { clearTextPrefs.edit().clear().apply() } if (!clearTextPrefs.edit().putString(ANDX_SECURITY_KEY_KEYSET, keyKeyset).commit()) { clearTextPrefs.edit().putString(ANDX_SECURITY_KEY_KEYSET, keyKeyset).apply() } if (!clearTextPrefs.edit().putString(ANDX_SECURITY_VALUE_KEYSET, valueKeyset).commit()) { clearTextPrefs.edit().putString(ANDX_SECURITY_VALUE_KEYSET, valueKeyset).apply() } } } else { if (!prefs.edit().clear().commit()) { prefs.edit().clear().apply() } } } fun remove(key: String) { if (!prefs.edit().remove(key).commit()) { prefs.edit().remove(key).apply() } } // Boolean fun write(key: String, value: Boolean) { if (!prefs.edit().putBoolean(key, value).commit()) { prefs.edit().putBoolean(key, value).apply() } } // Float fun write(key: String, value: Float) { if (!prefs.edit().putFloat(key, value).commit()) { prefs.edit().putFloat(key, value).apply() } } // Int fun write(key: String, value: Int) { if (!prefs.edit().putInt(key, value).commit()) { prefs.edit().putInt(key, value).apply() } } // Long fun write(key: String, value: Long) { if (!prefs.edit().putLong(key, value).commit()) { prefs.edit().putLong(key, value).apply() } } // Set<String> fun write(key: String, value: Set<String>) { if (!prefs.edit().putStringSet(key, value).commit()) { prefs.edit().putStringSet(key, value).apply() } } // String fun write(key: String, value: String) { if (!prefs.edit().putString(key, value).commit()) { prefs.edit().putString(key, value).apply() } } }
An alternative option to using Dagger2 to inject as a @Singleton could be to:
AppPrefs.kt
object AppPrefs { lateinit var encryptedPrefs: Prefs lateinit var prefs: Prefs // Add your key strings here... fun initEncryptedPrefs(context: Context) { encryptedPrefs = Prefs( "ENCRYPTED_PREFS", context, MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC), EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM ) } fun initPrefs(context: Context) { prefs = Prefs("PREFS", context) } }Application.kt
class Application: Application() { override fun onCreate() { super.onCreate() AppPrefs.initEncryptedPrefs(this.applicationContext) AppPrefs.initPrefs(this.applicationContext) } }Then just call from where ever
AppPrefs.prefsorAppPrefs.encryptedPrefs讨论(0) -
You should encrypt your data and write to SharedPreferences. When you want get this data then you should decrypt from SharedPreferences. you need the following helper class for this
public class Encryption { private final Builder mBuilder; private Encryption(Builder builder) { mBuilder = builder; } public static Encryption getDefault(String key, String salt, byte[] iv) { try { return Builder.getDefaultBuilder(key, salt, iv).build(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); return null; } } private String encrypt(String data) throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, InvalidKeyException, InvalidKeySpecException, BadPaddingException, IllegalBlockSizeException { if (data == null) return null; SecretKey secretKey = getSecretKey(hashTheKey(mBuilder.getKey())); byte[] dataBytes = data.getBytes(mBuilder.getCharsetName()); Cipher cipher = Cipher.getInstance(mBuilder.getAlgorithm()); cipher.init(Cipher.ENCRYPT_MODE, secretKey, mBuilder.getIvParameterSpec(), mBuilder.getSecureRandom()); return Base64.encodeToString(cipher.doFinal(dataBytes), mBuilder.getBase64Mode()); } public String encryptOrNull(String data) { try { return encrypt(data); } catch (Exception e) { e.printStackTrace(); return ""; } } public void encryptAsync(final String data, final Callback callback) { if (callback == null) return; new Thread(new Runnable() { @Override public void run() { try { String encrypt = encrypt(data); if (encrypt == null) { callback.onError(new Exception("Encrypt return null, it normally occurs when you send a null data")); } callback.onSuccess(encrypt); } catch (Exception e) { callback.onError(e); } } }).start(); } private String decrypt(String data) throws UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException { if (data == null) return null; byte[] dataBytes = Base64.decode(data, mBuilder.getBase64Mode()); SecretKey secretKey = getSecretKey(hashTheKey(mBuilder.getKey())); Cipher cipher = Cipher.getInstance(mBuilder.getAlgorithm()); cipher.init(Cipher.DECRYPT_MODE, secretKey, mBuilder.getIvParameterSpec(), mBuilder.getSecureRandom()); byte[] dataBytesDecrypted = (cipher.doFinal(dataBytes)); return new String(dataBytesDecrypted); } public String decryptOrNull(String data) { try { return decrypt(data); } catch (Exception e) { e.printStackTrace(); return null; } } public void decryptAsync(final String data, final Callback callback) { if (callback == null) return; new Thread(new Runnable() { @Override public void run() { try { String decrypt = decrypt(data); if (decrypt == null) { callback.onError(new Exception("Decrypt return null, it normally occurs when you send a null data")); } callback.onSuccess(decrypt); } catch (Exception e) { callback.onError(e); } } }).start(); } private SecretKey getSecretKey(char[] key) throws NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeySpecException { SecretKeyFactory factory = SecretKeyFactory.getInstance(mBuilder.getSecretKeyType()); KeySpec spec = new PBEKeySpec(key, mBuilder.getSalt().getBytes(mBuilder.getCharsetName()), mBuilder.getIterationCount(), mBuilder.getKeyLength()); SecretKey tmp = factory.generateSecret(spec); return new SecretKeySpec(tmp.getEncoded(), mBuilder.getKeyAlgorithm()); } private char[] hashTheKey(String key) throws UnsupportedEncodingException, NoSuchAlgorithmException { MessageDigest messageDigest = MessageDigest.getInstance(mBuilder.getDigestAlgorithm()); messageDigest.update(key.getBytes(mBuilder.getCharsetName())); return Base64.encodeToString(messageDigest.digest(), Base64.NO_PADDING).toCharArray(); } public interface Callback { void onSuccess(String result); void onError(Exception exception); } private static class Builder { private byte[] mIv; private int mKeyLength; private int mBase64Mode; private int mIterationCount; private String mSalt; private String mKey; private String mAlgorithm; private String mKeyAlgorithm; private String mCharsetName; private String mSecretKeyType; private String mDigestAlgorithm; private String mSecureRandomAlgorithm; private SecureRandom mSecureRandom; private IvParameterSpec mIvParameterSpec; public static Builder getDefaultBuilder(String key, String salt, byte[] iv) { return new Builder() .setIv(iv) .setKey(key) .setSalt(salt) .setKeyLength(128) .setKeyAlgorithm("AES") .setCharsetName("UTF8") .setIterationCount(1) .setDigestAlgorithm("SHA1") .setBase64Mode(Base64.DEFAULT) .setAlgorithm("AES/CBC/PKCS5Padding") .setSecureRandomAlgorithm("SHA1PRNG") .setSecretKeyType("PBKDF2WithHmacSHA1"); } private Encryption build() throws NoSuchAlgorithmException { setSecureRandom(SecureRandom.getInstance(getSecureRandomAlgorithm())); setIvParameterSpec(new IvParameterSpec(getIv())); return new Encryption(this); } private String getCharsetName() { return mCharsetName; } private Builder setCharsetName(String charsetName) { mCharsetName = charsetName; return this; } private String getAlgorithm() { return mAlgorithm; } private Builder setAlgorithm(String algorithm) { mAlgorithm = algorithm; return this; } private String getKeyAlgorithm() { return mKeyAlgorithm; } private Builder setKeyAlgorithm(String keyAlgorithm) { mKeyAlgorithm = keyAlgorithm; return this; } private int getBase64Mode() { return mBase64Mode; } private Builder setBase64Mode(int base64Mode) { mBase64Mode = base64Mode; return this; } private String getSecretKeyType() { return mSecretKeyType; } private Builder setSecretKeyType(String secretKeyType) { mSecretKeyType = secretKeyType; return this; } private String getSalt() { return mSalt; } private Builder setSalt(String salt) { mSalt = salt; return this; } private String getKey() { return mKey; } private Builder setKey(String key) { mKey = key; return this; } private int getKeyLength() { return mKeyLength; } public Builder setKeyLength(int keyLength) { mKeyLength = keyLength; return this; } private int getIterationCount() { return mIterationCount; } public Builder setIterationCount(int iterationCount) { mIterationCount = iterationCount; return this; } private String getSecureRandomAlgorithm() { return mSecureRandomAlgorithm; } public Builder setSecureRandomAlgorithm(String secureRandomAlgorithm) { mSecureRandomAlgorithm = secureRandomAlgorithm; return this; } private byte[] getIv() { return mIv; } public Builder setIv(byte[] iv) { mIv = iv; return this; } private SecureRandom getSecureRandom() { return mSecureRandom; } public Builder setSecureRandom(SecureRandom secureRandom) { mSecureRandom = secureRandom; return this; } private IvParameterSpec getIvParameterSpec() { return mIvParameterSpec; } public Builder setIvParameterSpec(IvParameterSpec ivParameterSpec) { mIvParameterSpec = ivParameterSpec; return this; } private String getDigestAlgorithm() { return mDigestAlgorithm; } public Builder setDigestAlgorithm(String digestAlgorithm) { mDigestAlgorithm = digestAlgorithm; return this; } }}then you can write in SharedPreferences by encrypting your data as follows
Encryption encryption = Encryption.getDefault("Key", "Salt", new byte[16]); SharedPreferences preferences = PreferenceManager.getDefaultSharedPreferences(getApplicationContext()); SharedPreferences.Editor editor = preferences.edit(); editor.putString("token", encryption.encryptOrNull(userModel.getToken())); editor.apply()you can finally read from SharedPreferences data in the following way. This way, sensitive information will be safer while kept on the hardware level in the phone
final SharedPreferences preferences = PreferenceManager.getDefaultSharedPreferences(getApplicationContext()); Encryption encryption = Encryption.getDefault("Key", "Salt", new byte[16]); String token = encryption.decryptOrNull(preferences.getString("token",""));讨论(0) -
public class NodeCrypto { private String iv = "fedcba9876543210";//Dummy iv (CHANGE IT!) private IvParameterSpec ivspec; private SecretKeySpec keyspec; private Cipher cipher; private String SecretKey = "0123456789abcdef";//Dummy secretKey (CHANGE IT!) public void doKey(String key) { ivspec = new IvParameterSpec(iv.getBytes()); key = padRight(key,16); Log.d("hi",key); keyspec = new SecretKeySpec(key.getBytes(), "AES"); try { cipher = Cipher.getInstance("AES/CBC/NoPadding"); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (NoSuchPaddingException e) { // TODO Auto-generated catch block e.printStackTrace(); } } public byte[] encrypt(String text,String key) throws Exception { if(text == null || text.length() == 0) throw new Exception("Empty string"); doKey(key); byte[] encrypted = null; try { cipher.init(Cipher.ENCRYPT_MODE, keyspec, ivspec); encrypted = cipher.doFinal(padString(text).getBytes()); } catch (Exception e) { throw new Exception("[encrypt] " + e.getMessage()); } return encrypted; } public byte[] decrypt(String code,String key) throws Exception { if(code == null || code.length() == 0) throw new Exception("Empty string"); byte[] decrypted = null; doKey(key); try { cipher.init(Cipher.DECRYPT_MODE, keyspec, ivspec); decrypted = cipher.doFinal(hexToBytes(code)); } catch (Exception e) { throw new Exception("[decrypt] " + e.getMessage()); } return decrypted; } public static String bytesToHex(byte[] data) { if (data==null) { return null; } int len = data.length; String str = ""; for (int i=0; i<len; i++) { if ((data[i]&0xFF)<16) str = str + "0" + java.lang.Integer.toHexString(data[i]&0xFF); else str = str + java.lang.Integer.toHexString(data[i]&0xFF); } return str; } public static byte[] hexToBytes(String str) { if (str==null) { return null; } else if (str.length() < 2) { return null; } else { int len = str.length() / 2; byte[] buffer = new byte[len]; for (int i=0; i<len; i++) { buffer[i] = (byte) Integer.parseInt(str.substring(i*2,i*2+2),16); } return buffer; } } private static String padString(String source) { char paddingChar = ' '; int size = 16; int x = source.length() % size; int padLength = size - x; for (int i = 0; i < padLength; i++) { source += paddingChar; } return source; } public static String padRight(String s, int n) { return String.format("%1$-" + n + "s", s); } } ----------------------------------------------- from your activity or class call encrypt or decrypt method before saving or retriving from SharedPreference讨论(0)
加载中...
- 热议问题