Shared Preferences for storing sensitive user data?

hall28hall28 USMember
edited October 2012 in Xamarin.Android

I’m creating an app for my company and am making it so that a user can save their login credentials (email and password) so they don’t have to log in every time they run the app.

I am currently having their info saved in a Shared Preference class. From my research this seems to be the standard way to do it, but I'm still new to android development. Is this the standard way? If it is, I am wondering how safe saving user information in shared preferences is? Is it encrypted? If so, how can I get an encryption key? Are there any alternatives to saving sensitive user info that would be better than using shared preferences? I’d appreciate any insight or direction. Thanks!

Best Answer

  • CheesebaronCheesebaron DK mod
    Accepted Answer

    Shared Preferences is the most used way in Android to store settings. Shared Preferences are sandboxed, such that only your application can access it. However you cannot prevent physical access to a device, hence I personally recommend to either encrypt the passwords somehow, or if you use the username and password for something like a web service with OAuth, SWT or similar, I would store the returning token.

    I personally serialize my settings model into JSON and store it on the device. There is also the possibility of using a database such as SQLite, which @ThomasS suggested. Whichever way you end up with, I strongly suggest that you do something to the passwords so they are not able to be stolen.

Answers

  • The user and all related content has been deleted.
  • hall28hall28 USMember

    Thomas, thanks for the links.

  • CheesebaronCheesebaron DKInsider, University mod
    Accepted Answer

    Shared Preferences is the most used way in Android to store settings. Shared Preferences are sandboxed, such that only your application can access it. However you cannot prevent physical access to a device, hence I personally recommend to either encrypt the passwords somehow, or if you use the username and password for something like a web service with OAuth, SWT or similar, I would store the returning token.

    I personally serialize my settings model into JSON and store it on the device. There is also the possibility of using a database such as SQLite, which @ThomasS suggested. Whichever way you end up with, I strongly suggest that you do something to the passwords so they are not able to be stolen.

  • hall28hall28 USMember

    @Cheesebaron, thanks, that's really helpful. I think I'll store all of my preferences in a class, serialize it, encrypt it, then store in the shared preferences. But where do I store my encryption keys? Do you have any ideas about that? I assume if I store them in code, someone can easily decompile my app?

  • CheesebaronCheesebaron DKInsider, University mod

    Android 4.0 and up has a KeyChain where you can store such things otherwise there is not secure way to do this. Maybe you could offload this to a server?

    An obfuscator would also help, but a good hacker could still get through.

Sign In or Register to comment.