0

My app is based on different roles. For example teacher, parent and so on. So different users will see different activites and have different permissions. And if the device is rooted the SharedPreferences object could be modified.

I save the role from the user in a SharedPreferences object when he logs in(I receive his role from a database query).

He could easily change his role to the teacher for example and have more permissions. He could delete all the data.

After a little research, I found this: How to detect if changes were made in the preferences?

My question now is: Could a hacker avoid detection when changing the values from the object even though I checked it like in the example above?

Akif
  • 7,098
  • 7
  • 27
  • 53
ConanCode
  • 362
  • 2
  • 4
  • 18
  • `OnSharedPreferenceChangeListener` wouldn't even work because a hacker would change the file directly outside the context of the app. – DeeV Jan 13 '17 at 23:11

1 Answers1

1

Yes. If you want security, check the permissions on the server every time you make a request, and don't send down anything he shouldn't be able to see. Then the best he can do is get some extra buttons that throw an error when pressed.

Gabe Sechan
  • 90,003
  • 9
  • 87
  • 127
  • But then I need to know his username in order to provide him his permissions/activities(I need this for a query). How would you store this information? – ConanCode Jan 13 '17 at 23:24
  • Look into token based authentication. You don't need to send the username/password with each request. – Gabe Sechan Jan 14 '17 at 00:43