0

I looked up different Q&A on how to send data or what are the best way to send data between activities in Android but I could not find an answer on what is the most secure way to do it, if data are sensitive.

Best ways to send data between activities in android: https://stackoverflow.com/a/4878259/5544859

Which of these ways is the most secure AND efficient one to send data?

Community
  • 1
  • 1
Red M
  • 2,609
  • 3
  • 30
  • 50
  • Are these two activities in the same app and same process? – CommonsWare Jan 14 '17 at 21:21
  • @CommonsWare Yes they are. It's a process sending data between 5 activities, A --> B --> C --> D --> E, and when I'm in activity E, I will send the data to the storage/database. So, while I'm transferring data in between those activities, I'm looking for something secure since it's sensitive data. – Red M Jan 14 '17 at 21:34

1 Answers1

3

Putting the data in the Intent would be the least secure, insofar as that data is being sent by IPC from your process to a core OS process, then back to your process via another IPC invocation. On modern versions of Android, I know of no security issues with this — other apps cannot spy on that IPC or otherwise get at that data. However, all else being equal, keeping the sensitive data within your process at all times would be more secure than passing that data outside of your process.

The cited "Persist objects (sqlite, share preferences, file, etc.)" is not a way of passing data between components. It is a way of persisting data for long-term use. Now, most apps need such persistence, and so you may have persistence for other reasons and simply leverage it (e.g., A triggers writing data; E reads in that data). From an efficiency standpoint, though, disk I/O is slow, and so you do it when you need persistence, not data passing. Typically, though, with persistence, we maintain some sort of in-memory cache, to minimize that disk I/O. That involves static fields and WeakReferences, the other option cited in that Stack Overflow answer.

Off the cuff, and knowing nothing about your app:

  • If this sensitive data should be persisted, then just persist it, use a cache, and have E get the data from the cache or persistent store

  • If this sensitive data should not be persisted, but it is large and it can be acquired again (e.g., via network I/O), cache it using a static field and a WeakReference, so you do not tie up heap space indefinitely

  • If this sensitive data should not be persisted, and either is not large or cannot readily be acquired again, cache it using a static field, so it sticks around as long as your process does

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • Data needs to be persisted after it gets to activity "E" because the app does collect information from activity "A" all the way to activity "E" (while going through B, C, and D). – Red M Jan 14 '17 at 22:02
  • I believe I have two options: 1) persist data while going from A to E, then retrieve all data in E and send it to the server, or 2) Pass data from A to E, then persist it inside activity E, and send it to the server. Which of these two options is more secure if there is any distinctions ? – Red M Jan 14 '17 at 22:08
  • @RedaM: "I believe I have two options" -- probably I would make this be one activity, rather than five, using a wizard UI metaphor. Beyond that, though, you have the options that I outlined in my answer. "Which of these two options is more secure if there is any distinctions ?" -- so long as you are not passing the data outside your process, the security is equivalent. – CommonsWare Jan 14 '17 at 22:09