Storing confidential data in sharedprefs - android

Question

Is it a good practice to store confidential user data like passwords, tokens, etc as shared preferences?
Will they be secure?
Are there any other options?

I want these data to be accessed from any activity of my app.

Theoretically if you want to be sure that data is secure you should store the password hash (maybe MD5) instead of the password itself, so that if someone reads it he doesn't know what is the real password — BackSlash, May 07 '13 at 13:15
If the app is installed on a rooted device. No! Not secure at all. But neither is a Database in that case. If it is plain text that is. ;-) — Siddharth Lele, May 07 '13 at 13:15
@BackSlash MD5 is broken since forever, don't use it for password hashing. — gustafc, May 07 '13 at 13:25
found this just sharing http://www.androidsnippets.com/encryptdecrypt-strings. — user1910290, May 07 '13 at 14:12
@gustafc, Md5 is broken in the sense that more strings generate the same Md5 code (collision), but you can encode your password with it without any worries. Anyway, being a well-known algorithm, ther're many "dictonaries" used to translate the md5 string into the original one. EDIT: FYI => http://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes — sataniccrow, May 07 '13 at 15:16
@sataniccrow I didn't mean broken as in "reversible", I meant broken as in "useless for protecting passwords". Hashing by itself is generally not enough, and even if it wasn't, MD5 would still be one of the worst options (since it's fairly easy to find something that looks like the user's password). See http://stackoverflow.com/questions/947618/how-to-best-store-user-information-and-user-login-and-password — gustafc, May 08 '13 at 08:28

score 2 · Answer 1 · answered May 07 '13 at 13:18

2

Some users would say you probably shouldn't.

But I would say yes, in private mode, with highly encrypted data.

It's not 100% safe on rooted devices. But if the Encryption Algorithm is strong enought, don't worry.

answered May 07 '13 at 13:18

shemsu

1,066
9
17

using sharedprefs can I access the data through any activity?. – user1910290 May 07 '13 at 13:20
will the way explain in this link to obtain prefs work in any activity http://stackoverflow.com/a/3624358/1910290 – user1910290 May 07 '13 at 13:21
Yes, any activity in your app. – shemsu May 07 '13 at 13:22

score 0 · Answer 2 · edited Mar 17 '17 at 13:14

If you are using strong encryption algorithm for storing usernames, passwords in Shared Preferences, it will help you to protect them from malicious user. You have to use the Shared Preferences in PRIVATE mode so that no other activity outside you APP can access that data.

You can use javax.crypto.Cipher class. This class provides access to implementations of cryptographic ciphers for encryption and decryption.

Use this link to understand the DES and AES algorithms :

https://security.stackexchange.com/questions/5457/which-type-of-encryption-algorithms-android-supports-and-which-would-be-better

found this just sharing http://www.androidsnippets.com/encryptdecrypt-strings — user1910290, May 07 '13 at 14:11

Storing confidential data in sharedprefs - android

2 Answers2