Kalina Kalina - 1 month ago 5
Android Question

How to securely save a SharedPreference on Android device?

I have a few SharedPreferences that I would like to save on the device itself as securely as possible. I know nothing about security but I found from a bit of research that what I want is something called an "obfuscator". Is that right? Is that different from "encryption", or do I want to do both? I've also found that I can use AESObfuscator or ProGuard. What are the differences? Are there even more options? Which should I use?

I'm obviously very new to security so any tutorials or other references would be helpful.

Answer

The linked AESObfuscator encrypts strings with a static key, so that they can be saved to shared prefs and it is not immediately obvious what they are. This is different from a code obfuscator such as ProGuard, which mangles method and variable names in your code to make it harder to reverse-engineer. It is called 'obfuscation' and not 'encryptoin' because the key is in the app, and it is fairly easy to reverse (by extracting the key and decrypting). Shared prefs obfuscation will make it harder to read and modify the strings, but not impossible. If you are OK with that level of protection, do use this method. Using code obfuscation is also a good idea, so you'd want to use both.

The only supported way to make it 'impossible' to decrypt the strings is to have the user enter a password each time they use the app and derive the encryption key from it. This works, but is, needless to say, not very user friendly. If you are interested, here are some details.

Comments