Best IT Recipes

How safe are SQLite and SharedPreferences files on Android?

Firstly, a bit of my background. I’ve been working on large web systems for over a decade, Android is what I’ve been looking at for the past two months; as you can imagine, the gap is pretty wide :)

Looking at Android Security and Permissions and the Data Warehouse, part of the documentation, talking directly with developers, reading books and tutorials, it’s pretty clear how the whole model works. However, I could not find the answer whether the SQLite and SharedPreferences files are safe for storing shallow unencrypted information (for example, OAuth tokens). Is it possible for someone to grab them? Specifying Android documentation:

Any data stored in the application will be assigned to this application user ID and are usually not available for other packages.

This is not a normally accessible part giving me extra gray hair :)

Thanks, helpful answers are welcome :)

+34
android security sqlite sharedpreferences
Aug 31 '10 at 12:14
source share
2 answers

Is it possible for someone to grab them?

It depends on someone. As Mr. Burov points out, users of rooted phones can get whatever they want. By default, ordinary users and other applications cannot.

This is not a normally accessible part giving me extra gray hair :)

By default, files are protected. If you choose, you can make them available for reading or worldwide.

Could not decompile the apk file and find the encryption key in this case?

It depends on who you are defending with. If you protect other applications, ask the user to provide an encryption key. If you protect yourself from the user, you are screwed up, like all DRM implementations.

+38
Aug 31 '10 at 13:01
source share

Well, there are many SharedPreferences editor applications on the market, so they are definitely not protected. Also, on root devices, the database can be easily deleted, since the user has full access to the phone file system. Therefore, if you want your application to be fully protected, encrypt your data.

+1
Aug 31 '10 at 12:27
source share


More articles:


All Articles