gillesC gillesC - 1 month ago 16
Android Question

Encryption of SharedPreferences in Android

What is the added value when storing encrypted SharedPreferences items, opposed to just storing SharedPreferences items.

I only see the point for encryption as a mitigation technique, so that users can't easily manipulate the XML-file.

Question: Encrypted vs plaintext SharedPreferences storage?

Answer

The usefulness of encryption depends on where the encryption key is coming from.

If the encryption key is coming from the user (e.g., derived from a user-entered passphrase), then the value is that anyone attempting to read the data in the SharedPreferences XML would need that passphrase or settle for attempting brute-force decryption.

If the encryption key is not coming from the user, then the value is reduced. The attacker (including the user) can attempt to find the key and find the encryption algorithm. Both have to exist on the device, otherwise the app could not decrypt the data (let alone encrypt it). In most simple cases, such as the key being baked into the app as a constant, it does not take a lot of work for an expert to find the key, find the algorithm, and be able to decrypt the data.