How does secure data look like in Android?

Photo by King's Church International on Unsplash

Saving data in SharedPreference is so easy and comforting! But in programming, with every bit of laziness comes a threat. The same applies to SharedPreference. When we save our data in the android app using SharedPreference, it is easily available to hackers and malicious apps using easy tricks. Thus, this makes our SharedPreference non-useful when we have to save a password or some personal data of our user.

Let us understand this with example by storing data with SharedPreference.

  1. Create our file SharedPref.java file and write this code:
public class SharedPref { private Context context; 
private String sharedPrefName = “sharedpref”;
private SharedPreferences sharedPreferences;
private SharedPreferences.Editor editor;
//public constructor
public SharedPref(Context context){
this.context = context;
init();
}
//initialize values
private void init(){
sharedPreferences = context.getSharedPreferences(sharedPrefName, Context.MODE_PRIVATE);
editor = sharedPreferences.edit();
}
//return ‘value’ saved with ‘key’
public String getData(String key){
return sharedPreferences.getString(key,”na”);
}
//save ‘value’ with ‘key’
public void saveData(String key, String value){
editor.putString(key,value); editor.commit();
}
}

2. We can use this file in the following way:

......//create instance of SharedPrefSharedPref 
sharedPref = new SharedPref(MainActivity.this);
//save data to sharedPreference
sharedPref.saveData(“username”,”ayaz”);
//get data from sharedPreference
sharedPref.getData(“name”);
......

Now run the app, you will find that your data is saved in SharedPreference. But this data can be easily viewed from device file explorer. Anyone can find your data like this:

This is one way to easily use SharedPreference in any project. We can also create some other methods like saveIntValue() or getIntValue() to store or fetch integer value from our SharedPref.java class.

Now we have seen how easy it is to store values in SharedPreference in Android! But our problem remains the same;

How to secure our DATA?

Our problem can be solved by using SharedPreference in modified form. We can use EncryptedSharedPreferences.

EncryptedSharedPreference stores our data the same as its parent SharedPreference but in encrypted form, so even if any middle man gets access to our SharedPreference, he won’t understand it. The EncryptedSharedPreference is available for SDK 23, so you still need another approach to secure your data in the lollipop version or below.

Let’s use EncryptedSharedPreference to secure our data.

  1. Add the dependency
//app level build.gradle file
implementation "androidx.security:security-crypto:1.0.0-alpha02"

2. Now Create our file EncryptedSharedPref.java file and write this code:

public class EncryptedSharedPref{    private Context context;    
private String encryptedSharedPrefName = "encyrptSharedPref";
private SharedPreferences encryptedSharedPref;
private SharedPreferences.Editor editor;
private String masterKeyAlias;
//public constructor
public EncryptedSharedPref(Context context){
this.context = context;
init();
}
private void init() { try { //create masterKeyAlias which will be used to encrypt data masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC); //create instance of EncryptedSharedPreferences by using its encryption schemes encryptedSharedPref = EncryptedSharedPreferences.create(
encryptedSharedPrefName,
masterKeyAlias,
context,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
);
editor = encryptedSharedPref.edit(); }
catch (GeneralSecurityException e) {
e.printStackTrace();
}
catch (IOException e) {
e.printStackTrace();
}
}
//return 'value' saved with 'key'
public String getData(String key){
return encryptedSharedPref.getString(key,"na");
}
//save 'value' with 'key'
public void saveData(String key, String value){
editor.putString(key,value);
editor.commit();
}
}
  1. We can use this file in the following way:
......//create instance of EncryptedSharedPrefEncryptedSharedPref encryptedSharedPref = new EncryptedSharedPref(MainActivity.this);//saving same data to encryptedSharedPrefencryptedSharedPref.saveData("username","ayaz"); //get data from encryptedSharedPrefencryptedSharedPref.getData("name");......

Now again run the app, you will find that your data is saved with EncryptedSharedPreference. This file can be viewed from device file explorer, but the data is encrypted:

You can see that our file is easily available, but the data is encrypted so it is impossible to get our data without the proper encryption key.

In this way, we can secure our data in android using EncryptedSharedPrefence. However, there is a major drawback of using this encrypted version of SharedPreference. Look carefully at the size of both the sharedpreference file: sharedpref.xml and encryptSharedPref.xml, the size of encryptSharedPref.xml is almost 10x of sharedpref.xml thus leading to comparatively poor performance.

So, use encrypted SharedPreference only when you are storing sensitive data, you can SharedPreference for common use cases.

Founder at Inside Android | Youtuber | App Developer