Best IT Recipes

Android SharedPreference Security

I am interested to know about the security of general settings.

Is it possible to access sharedpreferences even if they were created in MODE_PRIV (0)?
Is it possible to list all available sharedpreferences and then extract all the settings from other applications?
Is sharedpreferences a good place to host sensitive data such as password or authentication token?

thank

+106
android security sharedpreferences
Feb 11 2018-12-12T00:
source share
4 answers

General settings are stored as a file in the file system on the device. by default, they are stored in the application data directory with the file system permissions set, which allow only the UID with which a particular application works to access them. Thus, they are private because file permissions on Linux restrict access to them in the same way as on any Linux / Unix system.

Any user with root privileges can see them, since root has access to everything in the file system. In addition, any application that works with the same UID as the creator application will be able to access them (this is usually not done, and you need to take certain actions so that the two applications work with the same UID, so this probably not a big concern). Finally, if someone can mount the file system of your device without using the installed Android OS, they can also bypass permissions that restrict access.

If you are worried about such access to your preferences (or any data written by your application), then you will want to encrypt them. If this bothers you, you will need to determine exactly what level of protection is needed for the level of risk that you see. This is described in great detail in Application Security for the Android platform , which was just published in December 2011 (disclaimer: I am the author of this book).

+220
Feb 11 2018-12-12T00:
source share

SharedPreferences is nothing but XML files in your phones / data / data / folders. Therefore, any application or user with superuser privileges on the root device can access your SharedPreferences, even if they were created using MODE_PRIV

However, there is a way to protect it from everyone ... Check out this link. Here you can store data in pref using encryption, the class is clear and very easy to use.

https://github.com/sveinungkb/encrypted-userprefs

As others say, anyone can access it, but in this case no one can read the data inside it, since it is encrypted. Therefore its safety. For Utmost security , my suggestion would be to generate a key used for encryption at runtime, rather than hard coding it. There are many ways to do this :)

+25
Mar 10 '14 at 15:52
source share

As a rule, no, other applications cannot access them, however, it should be noted that SharedPreferences are stored as XML files in the /data/data/ directory, which essentially means that any application with superuser privileges on the root device can access your SharedPreference s, even if they were created using MODE_PRIV

+13
Feb 11 2018-12-12T00:
source share

Is it possible to access the general settings, even if they were created in MODE_PRIV (0)?

No code. But you can get the application file if you have superuser privileges.

Can I list all available general settings and then extract all settings from other applications?

If you are a superuser (rooted devices), you can extract all the personal files of the application.

Is sharedpreferences a good place to host sensitive data such as password or authentication token?

No. It can be easily hacked. If you want to put any sensitive data in a common settings file, you can encrypt the data and save it. You can store your encryption key in the NDK / server.

+2
Apr 01 '19 at 13:35
source share


More articles:


All Articles