4

Android recently released EncryptedSharedPreferences which automatically encrypts SharedPreferences key/value data. While this is good, I've found that I can simply hook onto the API call and retrieve the decrypted value. Other than encrypting the data manually before calling EncryptedSharedPreferences (which kind of defeats its purpose) and implementing stronger runtime tampering do detect hooking, is there any way to be resistant to such attacks?

Additionally, I was also able to extract the encryption key used to encrypt the key/value pair in EncryptedSharedPreferences by hooking onto javax.crypto.Cipher and inspecting SecretKeySpec and IvParameterSpec. This seems weird because isn't the encryption key supposed to reside in the Android Keystore and never leave it?

user1118764
  • 9,255
  • 18
  • 61
  • 113

1 Answers1

1

The purpose of EncryptedSharedPreferences is to protect the data its encrypted so hackers can not understand the data, it can not protect from stealing the data. But what can u do if u get the encrypted data and can not decrypted it? If u can not then EncryptedSharedPreferences already serves it purpose.

Thành Hà Văn
  • 481
  • 2
  • 9
  • The issue is that, by hooking onto the EncryptedSharedPreferences.encryptKeyValuePair, I'm able to dump out the decrypted data, so it doesn't seem to offer runtime protection. – user1118764 Mar 05 '20 at 06:40
  • So u are able to get the encrypted data and then successfully decrypt it? How can u decrypt it without the key? I am assuming that the EncryptedSharedPreferences encrypted data with AES right? – Thành Hà Văn Mar 05 '20 at 08:32
  • I don't have to decrypt it myself. I just hook onto the relevant API calls with Frida and obtain the decrypted data. – user1118764 Mar 08 '20 at 12:53
  • Oh, i got it. So anyway, api hooking can not be prevented, not by the android system :( – Thành Hà Văn Mar 09 '20 at 04:18
  • Actually, in addition to dumping out the decrypted data by hooking onto encryptKeyValuePair, I can also extract the encryption key used to encrypt the key/value pair, by hooking onto javax.crypto.Cipher and inspecting SecretKeySpec and IvParameterSpec. This seems weird because isn't the encryption key supposed to reside in the Android Keystore and never leave it? – user1118764 Mar 09 '20 at 05:54
  • so what heppen if i create some value 5 and store into encrypted so user know this value is higher so he directly replace 5's encrypted value when there is lower value like 2 so for that it's not useful . so how to secure it? – Bhavin Patel Oct 07 '21 at 11:26