0

What could be used instead of Shared Preferences for storing user information? People say Shared Preference is not Secure.

Sergio
  • 27,326
  • 8
  • 128
  • 149
tj_
  • 75
  • 1
  • 11
  • you can't just collect all possible ways here. Also, if `Shared Preferences` is not secure, then make it secured yourself - encrypt the values – Vladyslav Matviienko Nov 29 '18 at 07:21
  • @TejasJoshi SharedPreferences is not for storing user information, it generally used for holding some small values. For storing user information you can go for database depends upon your app – Rishav Singla Nov 29 '18 at 07:22
  • 1
    have a look at [other options to store data.](https://developer.android.com/guide/topics/data/data-storage) – Rumit Patel Nov 29 '18 at 07:25
  • @RishavSingla Android Shared Preference are name-value pair saved as XML files. Majorly used to save user’s app preference or user’s details or state of the app by developers. Shared Preference are files which are saved inside directory named shared_prefs present within App Sandbox i.e. /data/data/AppPackageName/shared_prefs . – tj_ Nov 29 '18 at 07:27
  • @TejasJoshi i already know it, but user information can be long as much as possible, or user can change it also, and you have to get that information whereever in app, so shared preference is not a good idea..go for https://developer.android.com/training/data-storage/room/ , its secure private database – Rishav Singla Nov 29 '18 at 07:43
  • @TejasJoshi if you want to use sharedpreference then use Base64 encryption , this link will help you : https://stackoverflow.com/questions/30148729/how-to-secure-android-shared-preferences – Rishav Singla Nov 29 '18 at 07:54
  • Ty @RishavSingla but Base64 ??https://stackoverflow.com/questions/4070693/what-is-the-purpose-of-base-64-encoding-and-why-it-used-in-http-basic-authentica – tj_ Nov 29 '18 at 08:44
  • Who says (private) SharedPreferences is not secure? Android apps are sandboxed and, therefore, other applications can't access its internal data. –  Jul 01 '22 at 20:36

3 Answers3

2

You can use SQLCipher library for encrypted database or encrypt/decrypt values yourself with some key and store result in SharedPreferences. To store keys use Android keystone system.

Sergio
  • 27,326
  • 8
  • 128
  • 149
  • Android keystone system. not found – Rishav Singla Nov 29 '18 at 07:46
  • for store user information, this is not a recommended one to use this for security purpose, i suggest to use https://developer.android.com/training/data-storage/room/ , its private database – Rishav Singla Nov 29 '18 at 07:50
  • @RishavSingla A room database is stored in the app's internal storage. This is no different than SharedPreferences. I see no reason why Room would be more secure than SharedPreferences. –  Jul 01 '22 at 20:42
1

If you are storing information in the users' device, no approach is 100% secure. You can hide the information in some ways (eg. encoding, encryption, etc) but still won't be 100% secure.

In order to make your information secure, you will need to store the information in a remote server.

Nabin Bhandari
  • 15,949
  • 6
  • 45
  • 59
1

Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.

Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.

If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see.

You can also use Database with encryption like whatsapp. Its a best way for security point of view. If you want you can hide the Database also.

Rahul Arora
  • 334
  • 1
  • 10
  • If you encrypt it, then where do you put the encryption key? If they key is stored on the device (in the case of KeyStore), then root can just use the encryption key and decrypt the data. –  Jul 01 '22 at 20:44