I know that SharedPreferences is an efficient way to store data but is the database used by android to store SharedPreferences read only even if you have root access?
Thanks in advance!
There is nothing you can do if a user has SUDO permission on the device. If a device is rooted, they can dig into your SharedPreferences all they want.
If you are storing passwords or other sensitive data in your app's local data, consider doing some sort of obfuscation like SHA or MD5 hashing before adding to prefs.
Related
As I understand it, it's possible to retrieve data stored in SharedPreferences. Therefore it isn't safe. Could anybody advice me on a way to completely secure the data? I know it's possible to encrypt and store the data, but I'm wondering, is there any other way?
Data stored in SharedPreferences, if created with Context.MODE_PRIVATE, is only accessible to your own application.
Though, if the users phone is rooted, then the data can be read by root applications (even if created with Context.MODE_PRIVATE).
There is no way to avoid that, ever. But you can take precautions such as encrypting the data in SharedPreferences.
A good example of this is the SecurePreferences library: https://github.com/scottyab/secure-preferences
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them.
So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. You can google it out.
Try this https://prashantsolanki3.github.io/Secure-Pref-Manager/ to easy work with shared preferences, it also encrypts the key and value before saving it in the preferences.
Sample code to save a value:
SecurePrefManager.with(this)
.set("user_name")
.value("LoremIpsum")
.go();
I'm going to use the SharedPreferences Keys to store my app informations so when I open the app again after onDestroy the information will still the same.
I'm just wondering is it safe to use SharePreferences ? I mean is there a way to hack or get the KEYS from the SharePreferences ?
and does all Android Platforms have the SharePreferences ?
thanks .
sharedPreferences arent safe..
sharedPreferences should just store config/setting-data not encrypted..
if u want to store critical data - you have to write it encrypted in a dataBase/sharedPrefs
btw .. http://android-developers.blogspot.de/2013/02/using-cryptography-to-store-credentials.html
You shouldn't store any unencrypted valuable information(passwords, private user information etc.) in SharedPreferences. SharedPreferences are just plain XML files in app directory on internal storage.
If you need to store smth private - you definitely need to encrypt it first.
How can I protect username and password saved in preferences?
Some sample code would be nice.
If you store passwords in plain text in an SQLite database or shared preferences, someone with root access might see them. Encrypting credentials prior to saving them locally would be safer, but still not perfect if someone reverse-engineers your app and gets the encryption key.
Have a look at the AccountManager. Also, this post might help you.
If you find that too complicated for your purpose, at least encrypt passwords before storing them into SharedPreferences! You can find more information, explanation and code here, too.
SharedPreferences sharedPreferences = MyApplication.getContext()
.getSharedPreferences(ApplicationConstants.SHARED_PREF_NAME,
Activity.MODE_PRIVATE);
Shared prefernces are stored under Android/data/data/yourApp on the internal file system of android and it's not accessible to other apps, so you can privately save data on shared preference
ACtually shared prefrence data store in your application memory and no other app can access that so beware of this
I am using SharedPreferences to store my keys and my crypted messages.If i store them crypted in it and then decrypt in my app it takes some time, but i am confused about if it will secure to store them decrpyted in SharedPreferences.
Can anybody reach my SharedPreferences MODE_PRIVATE with special app or something like that ?
On a rooted phone, yes, it can access the shared preferences for your app. Also, on any phone the user can delete all the data that it's stored in shared preferences by clearing the cache in the application manager.
A safe way to store data would be to encrypted it with AES and save it in a text file in the root folder of your app.
I wonder about shared preferences security.
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
Is sharedpreferences good place to put sensitive data, such as password or auth token?
Thanks
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem permissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see. There is a very extensive discussion about this in Application Security for the Android Platform, just published in December 2011 (disclaimer: I'm the author of this book).
SharedPreferences are nothing but XML files in your phones /data/data/ folder,So any application or user with superuser privilages on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Still there is a way to protect it from everybody...
Please checkout this link.
Here you can store data in pref with encryption,the class is self explanatory and very easy to use.
https://github.com/sveinungkb/encrypted-userprefs
As said by others anyone can access it but in this case no one can read data inside it as it is encrypted. So its secure.For Utmost security my suggestion will be to generate the key used for encryption at run time rather than hard coding it. There are many ways to do that :)
Normally, no, they cannot be accessed by other apps, however, you should note that SharedPreferences are stored as XML files in the /data/data/ directory, which essentially means that any application with superuser privileges on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
By code No. But you can retrieve application file if you have super user privileged.
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
If you are super user(rooted devices) then you can pull all private files of the app.
Is sharedpreferences good place to put sensitive data, such as password or auth token?
No. It can be easily hacked. If you want to put any sensitive data in shared prefrence file you can encrypt the data and store. You can store your encryption key in NDK/server.