Is there a way user could mess with the shared preferences values without the help of my app? E.g. can I store license details here and not worry about user extracting and copying the license key?
Its really easy to access the shared preferences.
All you need is a file explorer with root access, they are saved in an xml file in /data/data/YOUR_APP_NAME/shared_prefs/YOUR_APP_NAME_preferences.xml
For licencing you should either use google play's licence check or implement your own checking on a remote server.
If the context of the shared preferences are private (you define it when you create) only with root access it is possible to access them, without being the application who created.
Shared preferences are stored inside the app's space, when you uninstall the app, the preferences are also gone.
So normally users cannot get these values, they are stored privately.
However, with root access and a simple memory search app, a user could be able to access the data. (It is always better to store such things server side.)
Related
Im saving datas from my db/user into a gson formated ArrayList in SharedPreferences. Now my question :
Is it safe to save these datas (or data in general) into Sharedpreferences. Are users able to read these gson Arraylists out ? Maybe from SD card ,in a folder or somewhere else.
Thank you !
They are stored as xml files in your app directory, with permissions that allow only your app to access them. But on rooted device they are easily accessible. If you are concerned with security then you may use encryption, those projects might be usefull to you:
https://github.com/rtoshiro/SecureSharedPreferences
https://github.com/sveinungkb/encrypted-userprefs
still those projects does not give you 100% guarantee, hacker may decompile your apk and find keys used to encrypt shared preferences. So if your data is of use only for short time then remember to remove it from your device once user has finished using it. You may for example keep data on server and download it only when needed, caching locally only for short time - when its needed.
SharedPreferences is just a file located in phone private memory. So user can't access it but root can. Root can everything and many users have root's nowadays. You shouldn't store fragile data there
Android SharedPreference security
You can read all shared preferences Data
The SharedPreferences class provides a general framework that allows
you to save and retrieve persistent key-value pairs of primitive data
types.
To see the information in the store you need to know the important thing from the data. This will make reading through the information super easy. But as simple as it's to keep a tiny bit of data as difficult it's to keep and browse large structured data since you need to define key for every data, in addition you can't really search inside the data except you've got a certain concept for naming the secrets.
Please read Android SharedPreference security
As I understand it, it's possible to retrieve data stored in SharedPreferences. Therefore it isn't safe. Could anybody advice me on a way to completely secure the data? I know it's possible to encrypt and store the data, but I'm wondering, is there any other way?
Data stored in SharedPreferences, if created with Context.MODE_PRIVATE, is only accessible to your own application.
Though, if the users phone is rooted, then the data can be read by root applications (even if created with Context.MODE_PRIVATE).
There is no way to avoid that, ever. But you can take precautions such as encrypting the data in SharedPreferences.
A good example of this is the SecurePreferences library: https://github.com/scottyab/secure-preferences
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them.
So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. You can google it out.
Try this https://prashantsolanki3.github.io/Secure-Pref-Manager/ to easy work with shared preferences, it also encrypts the key and value before saving it in the preferences.
Sample code to save a value:
SecurePrefManager.with(this)
.set("user_name")
.value("LoremIpsum")
.go();
I'm building an Android game and I'm not sure where I should save something like "last completed level" or "remaining lives".
I'm pretty sure that I should not save this information in the database, because it's really simple to access an app's database with root access and some SQLite browser.
And I don't want to send it to a webserver, because the game should be playable offline.
What is the most secure place where I can store this information to prevent the player from cheating?
Thanks in advance
You may wanna try one of the three options described here :
http://developer.android.com/training/articles/security-tips.html
Since android is base on UID, it is almost impossible to prevent root user to retrieve data, but you can still encrypt it .
I would go for the internal storage with encryption, and skip the content provider option due to the few data you will store
You could use a non secure storage (like SharedPreferences for example) but use a digital signature to make sure that the value wasn't tampered with.
So you can use Cipher to save your game information file
check this https://stackoverflow.com/a/10782267/2773264
or you can save your file as Object by using ObjectOutputStream
(don't save String Object, save a custom class to prevent from cheating).
I wonder about shared preferences security.
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
Is sharedpreferences good place to put sensitive data, such as password or auth token?
Thanks
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem permissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see. There is a very extensive discussion about this in Application Security for the Android Platform, just published in December 2011 (disclaimer: I'm the author of this book).
SharedPreferences are nothing but XML files in your phones /data/data/ folder,So any application or user with superuser privilages on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Still there is a way to protect it from everybody...
Please checkout this link.
Here you can store data in pref with encryption,the class is self explanatory and very easy to use.
https://github.com/sveinungkb/encrypted-userprefs
As said by others anyone can access it but in this case no one can read data inside it as it is encrypted. So its secure.For Utmost security my suggestion will be to generate the key used for encryption at run time rather than hard coding it. There are many ways to do that :)
Normally, no, they cannot be accessed by other apps, however, you should note that SharedPreferences are stored as XML files in the /data/data/ directory, which essentially means that any application with superuser privileges on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
By code No. But you can retrieve application file if you have super user privileged.
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
If you are super user(rooted devices) then you can pull all private files of the app.
Is sharedpreferences good place to put sensitive data, such as password or auth token?
No. It can be easily hacked. If you want to put any sensitive data in shared prefrence file you can encrypt the data and store. You can store your encryption key in NDK/server.
I have some things in my app that I need to store, in order to have it available the next time I open the application. I wonder if I could save them using the sharedPreferences mechanism even if I don't have any "view" associated with them ! .If this is possible please let me know, if not, what would you suggest instead ?
All you need is a component that can furnish you a handle to the android.os.Context
An Activity is such a component. SharedPreference's data is stored in a file - somewhat akin to a properties file (key,value pair).
You can also create your own files and store it in the app's private directory.