3

I want to create an SDK project that has to encapsulate and store a data somewhere where the application that includes the library won't be able to access it. The data is received by the library via HTTPS.

So, firstly I've researched that shared preferences are not the option, since libraries in Android haven't own Context and can only work with app's contexts and data in shared prefs will be visible to the parent app.

What are the best options to store such sensitive data to hide it from the application that uses the lib? I'm planning to use code obfuscation approach with commercial tools to make retrieving this data as hard as possible. So maybe I should use Android Keystore System or simple encryption is enough?

EDIT: Ok, it seems the only way to store the data securily is one of variants of encrypting it. But there is another question: would it prevent the parent app from accessing the RAM and reading the data from there? Assuming the device is not rooted.

bvk256
  • 1,837
  • 3
  • 20
  • 38
  • 1
    I use to write some code natively using NDK, so a part of business logic is "safe" in a binary library. – betorcs Mar 02 '17 at 14:28
  • yes, this is one of valid options and I'm already employing this approach to store network API keys – bvk256 Mar 02 '17 at 14:49

1 Answers1

0

You can use SQLite as a data storage. It's better than dependency on external lib (since in your case you're coding the library). Let's keep it light.

Each DB instance has it's own name and app access it by the name. As a possible solution, you can encode the name of DB instance and decode it in runtime. This will hide your access point from developers.

Implement SQLiteOpenHelper class:

    public class FeedReaderDbHelper extends SQLiteOpenHelper {
        public static final int DATABASE_VERSION = 1;
        public static String DATABASE_NAME = Utils.decode("Ylhsd1lYTnpkMjl5WkE9PQ==");
            public FeedReaderDbHelper(Context context) {
                super(context, DATABASE_NAME, null, DATABASE_VERSION);
            }
        ...

Where Utils.decode("Ylhsd1lYTnpkMjl5WkE9PQ==") is the method that you run to get the right DB name. After obfuscation your code will look like this: 

com.myrpoject.mypackage.g.h.a(com.myrpoject.mypackage.g.h.a("Ylhsd1lYTnpkMjl5WkE9PQ=="))

Of course, Ylhsd1lYTnpkMjl5WkE9PQ== is just a sample and you can use any other.

Check this answer for details of the second step.

Community
  • 1
  • 1
Val
  • 4,225
  • 8
  • 36
  • 55
  • it's probably the same as using encrypted data within shared prefs, since it's the parent app's context used to create this sqlite database. – bvk256 Mar 02 '17 at 14:39
  • Your lib will use parent context but your key. The developer would not have an access to your DB creation. And yes, you can do the same with SharedPrefs. Main point here is hidden name, not a way of storing the data. – Val Mar 02 '17 at 14:44