EdmDroid EdmDroid - 1 month ago 8
Android Question

Security with SharedPreferences

I am developing an application in which I have to store very sensitive data and it should not come in contact with the user. I got to know from this source that if a device is rooted then accessing

SharedPreferences
and modifying it is a cakewalk. And I don't want it. So is there any method to protect my
SharedPreferences
from being accessed from anywhere. Or better still if some one can advise safer data storage option

Answer

There are different Points to consider:

Shared Preference on an unrooted Device

The data is safe here on the code level. It can only be accessed through the app (in malice or normal manner)

Encrypted Shared Preference on a unrooted Device

Same as above. Your data is safe. No difference in security level, it's just as safe or unsafe as it would be unecrypted.

Shared Preference on a rooted Device

The data can be accessed and manipulated by any App. But you have to consider that only a very small percentage (I guess under 1-2%, but there is no reliable data on the interweb) of devices are rooted and if a user roots his device he/she deliberately leaves himself vulnerable. This is not an Android system setting, if you root, you are responsible for the consequences.

Encrypted Shared Preference on a rooted Device

So you have the option to encrypt your data. There a ready solutions for this. But the problem is to keep the key secret. A harcoded key in source code can easily be decompiled (even with byte code obfuscator like Proguard). A per-app generated key has to be saved somewhere, and in the end on a rooted device, it can be accessed irrelevant of the location (shared pref, sql, file). A server side per user key that is only saved in RAM is a little more secure, but degrades usability as you need to make a server request the first time the app is started or everytime it's garbage collected. This may interfere with offline capability.

Aside from the last method, encrypting your shared preference hardly gives any real security enhancements.

Implication of developing a malicious app

Since April '14 Google has a malware scanner embedded in the play services on the device (also in the play store server side) that detects malice apps and its definition is frequently updated (at least every 6 weeks as is the release cycle of the play store app) and works with every Google Android 2.3+.

As a potential developer of a malicious app that reads your data I have to consider that my app only works on a small percentage of devices and then also only a brief period and my main distribution channel would be to make people download the apk and manually install the app and hopefully won't be recognized by the malware scanner immediately, which combined is a very unlikely scenario. This would make me inclined to use other means of intrusion which have a better effort-to-return ratio.

I guess that's the reason there are still only a few malice apps for Android and no widespread "infection" at least I know of (middle 2015).

Should an App store sensitive data?

I would rethink if your design fits your requirements. Usually you want to store the least sensitive data you can and only get it from the server if you need it and then only keep it in RAM as long as you need it. Data that is potentially very damaging therefore should not be saved persistently on the device (if possible). As we discussed data on your Android phone cannot be secured in a way that satisfies every security requirement.

Aside from that, you also have to consider to secure the data on the UI level or otherwise anybody could just take your phone and access the nuclear bomb codes through the app.

tl;dr

  • Persist only the sensitive data on your phone that you essentially need to keep a reasonable usability of your app. Everything else belongs in the RAM (as e.g. a object member) and should be fetched on demand and kept as brief as possible
  • The existence of an effective malware for your app is unlikely
  • Shared Prefrence is safe on all devices that are not deliberately made vulnerable. You have no influence on that so you cannot be held responsible as it is not a standard feature of the phone
  • Encrypting your data on a android phone hardly gives any real security enhancements

Update: It is not entirely correct what I said about encrypted data. See whitebox crypto for a solution on how to encrypt data on vulnerable devices.