Geek Answers Handbook

Is it safe to store Oauth2 access / update tokens in general settings in Android?

I know that I can set the values ​​as "MODE_PRIVATE", and only my application / userId can access them, however, does the user have access to them at any time? So is it "safe" to store them in common preferences or is there a better place?

In addition, if later I decide to set some settings for installation by the user, can I hide these values?

Thanks.

Edit: I also know about internal storage, but I'm wondering if I can achieve something simpler with general settings.

+7
source share
3 answers

General settings are just an XML text file stored in the application data folder. This is not a safe place, by any means. It is very easy to view these files and extract tokens. You can still use the general settings, but you need to encrypt the information that you store. As for the "internal storage", they have the same location as the "Shared Preferences", so they are still easy to view.

Your unencrypted data is protected from OTHER applications running on the phone, but not from malicious users.

+3
source

If you want to show some preferences to the user, you do not have to worry about it. I think shared_preferences will probably be the "safest" place to store these things. If the user does not have a root phone, and they give attackers a malicious application to read your data files, you have nothing to worry about, as far as I know. Although I look forward to other answers. played a major role!

+2
source

Even if you store access tokens in a safe place on the device, you should think that it can be detected. This is why you should not have a client secret in your mobile application code. For access tokens, you can try to keep them safe, but you cannot make it 100% secure. Thus, you should not receive unnecessary areas or unnecessary long tokens.

ps. In general, a mobile device uses "response_type = token (implicit provisioning)" and should not receive update tokens. It depends on the authentication server policy, though ..

+2
source

More articles:


All Articles