0

Hello all Big brain developers :-)

I want to secure the shared preference data where I have AuthId of user.

 public static void setUserAuthorization(Context context, String token) {

        SharedPreferences sharedPreferences = context.getSharedPreferences(
                MY_PREFERENCES, 0);
        sharedPreferences.edit().putString(Authorization_token, token).apply();
    }

public static String getUserAuthorization(Context context) {
        SharedPreferences sharedPreferences = context.getSharedPreferences(
                MY_PREFERENCES, 0);
         return sharedPreferences.getString(Authorization_token, null);
    }

The issue is ,

  • List item

I don't want to call everytime for web service to get the key , decrypt data and then encrypt.

I don't want to store the key locally as that is still the same as unsecure key.

I want something like this,

  1. Only my application will decrypt it.
  2. The key will be generated by user device(without user interaction)
  3. Anytime the data can be decrypted by that key.
  4. That key cannot be android id as that is visible to any person.

Please help.

I tried Keystore but it needs android api 23 for the example given at developer site.(256 byte limit also there)

Secure preference is also issue for me as it is not working (or i don't know how to make it work)

Please help.

Asif Ansari
  • 119
  • 12
  • "The key will be generated by user device(without user interaction)" -- `KeyChain` is your only secure option here, but it has reliability issues, particularly prior to Android 5.0. Specifically, if the user changes their lockscreen type (e.g., from PIN to password), the `KeyChain` gets reset, and you can no longer decrypt your data. "I want to secure the shared preference data where I have AuthId of user" -- I recommend that you explain in detail what the specific attack it is that you are trying to defend against. – CommonsWare May 15 '17 at 11:52
  • The resetting of KeyChain is the issue that I don't want , so I rejected it.Still thanks for reply. I don't want anyone to acces my AuthId and my services by any means. If they have acces to any of them then they can access my DB which is stored in a server. The user data should be Hack Free as it contains private information – Asif Ansari May 16 '17 at 05:06

0 Answers0