I want to store some configuration in my app (like the URLs to my web services), similar to a config.properties for Tomcat or Jetty.
It seems that I have to use SharedPreferences, 2 problems:
If I want to use PreferenceManager.getDefaultSharedPreferences(context) what should be the file name and where should it be in the project?
I tried getSharedPreferences("config.properties", MODE_PRIVATE) after creating config.properties in the assets folder but that doesn't work, what is the correct way to do? The file contains pairs like key=value.
Also what is the most secure way to save sensitive config values such as credentials (like AWS keys)?
If someone form Google is reading me, your doc is pretty vague/non-existant (or hard to find) about that stuff.
Thanks
1/2)You don't pre-store shared preferences. They exist on disk only (not in the apk). If you need them to exist in the apk, use a different file format (like json) and transfer them to shared preferences the first time you're run.
3)The best way to store sensitive data is off-device on a server and transferred only when needed via an HTTPS web service. Anything else can be trivially found by anyone with any knowledge of reverse engineering.
Related
I have a problem. I am using xyz.db file and which is stored in asset folder. I am copying all data from xyz.db to application db which is stored in data/data/com.xyz/abc.sqlite in storage folder. Now I want to secure asset's xyz.db file. Because It can be easily extract from apk by reverse engineering. Please help me to secure my asset folder's database file.
You can perform the following to make it relatively difficult to access data in DB.
Password protected zip file to contain db which at runtime should be extracted.
Encrypt the file with symmetric key and again at runtime decrypt it.
Utilize sqlcipher that performs encryption for Data at Rest.
In both the above cases you will need to worry about storing the password or key. There is no sure shot way to protect the file but the above would require more effort and should be added as basic protection.
There's no final solution to your problem.
Any technique you'll use can be beaten by a determined skilled attacker.
You have to accept that if you want to store database xyz.sql in your apk file and you later want your app to use it, then it will be also possible for someone that reverse your app to retrieve it. Basically just because the plain text information at a certain moment will be available on the phone.
Hope i've been clean enough
Keep security in mind
As usual in Android the access rights of the database file determine who can use your database. If you follow the standard way presented in the following posts of this series, your database file will be located within the private directory of your app. This means that your app owns the database file and no one else can access it. Even using the other less common ways to create the database you can only grant access to the file. Thus others can access all of your database or nothing. There is no middle ground.
Still: You should never rely on data being safe from prying eyes in the database. Any sensitive data should be encrypted. Very sensitive data should not be stored on the device at all. Keep in mind that if the device gets lost, any misbehaving finder of the device can gain access to the database file as well as to your app. On a rooted device all files can be read. Apps like SQLite Editor make it easy to read even sensitive data – if they are not encrypted:
In cases where data privacy is of utmost importance, you have to revert to secured services or force the user to enter a secret every time before encrypting and storing the data or reading and decrypting them respectively.
source
Im saving datas from my db/user into a gson formated ArrayList in SharedPreferences. Now my question :
Is it safe to save these datas (or data in general) into Sharedpreferences. Are users able to read these gson Arraylists out ? Maybe from SD card ,in a folder or somewhere else.
Thank you !
They are stored as xml files in your app directory, with permissions that allow only your app to access them. But on rooted device they are easily accessible. If you are concerned with security then you may use encryption, those projects might be usefull to you:
https://github.com/rtoshiro/SecureSharedPreferences
https://github.com/sveinungkb/encrypted-userprefs
still those projects does not give you 100% guarantee, hacker may decompile your apk and find keys used to encrypt shared preferences. So if your data is of use only for short time then remember to remove it from your device once user has finished using it. You may for example keep data on server and download it only when needed, caching locally only for short time - when its needed.
SharedPreferences is just a file located in phone private memory. So user can't access it but root can. Root can everything and many users have root's nowadays. You shouldn't store fragile data there
Android SharedPreference security
You can read all shared preferences Data
The SharedPreferences class provides a general framework that allows
you to save and retrieve persistent key-value pairs of primitive data
types.
To see the information in the store you need to know the important thing from the data. This will make reading through the information super easy. But as simple as it's to keep a tiny bit of data as difficult it's to keep and browse large structured data since you need to define key for every data, in addition you can't really search inside the data except you've got a certain concept for naming the secrets.
Please read Android SharedPreference security
I want to be sure that my app's content is safe. I have a password for encrypted database inside of my app and I just want to figure out if there are safe places in my project which can't be accessed by reverse engineering.
And it would be great if u explain shortly how reverse engineering works. ThanQ.
And plz don't post links to ProGuard!
Any hard-coded value CAN be viewed by reverse engineering your app.
This includes passwords, urls, etc.
In order to reverse engineer an android app, proceed with the following steps:
1- Rename your app's APK file to ZIP (e.g. myapp.apk -> myapp.zip)
2- Open the zip file and retrieve the classes.dex file.
3- Use dex2jar to get a jar file from classes.dex
4- Use jd-gui to open the jar file and view your original code.
Haawa,
If you are storing the password in your app as a static string, it is NOT safe. It is trivially easy to get to it, even if you are using ProGuard. The best way to safeguard it is to not store it at all. Instead, if possible, have your app send a unique identifier of some kind to a server that validates the user (possibly using LVL), then the server hands back a DB password or the actual DB data itself (stored on the server).
If this is not possible, or if you don't have access to your own server, at least obfuscate the string in some way by storing it as a XOR'ed string or better yet, come up with your own function to obsfucate the string. NEVER have a line in your java code that looks like password = "mypass";
In reverse engineering : your .apk file Rename from .apk to .zip file , then abstract zip file and find your folder,
But You can not able for find .class file of your Project
Reverse engineering is more about recreating intellectual property by careful analyzing application's behavior aspects. Regarding security matters, I think, social engineering should be of more concern to you
Others have explained the reverse engineering, so I will explain how you should encrypt the database.
You should encrypt the database using the user's credentials (username and password or PIN) as the key. When the user starts the application, they should be prompted for the credentials. The key should not be hard coded.
This prevents an attacker from accessing the user's data without having the credentials.
If you are trying to hide the data from everyone including the user, yet have the application be able to access it, then you have to store it on the server and only request the data that you're willing to show to the user.
I wonder about shared preferences security.
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
Is sharedpreferences good place to put sensitive data, such as password or auth token?
Thanks
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem permissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see. There is a very extensive discussion about this in Application Security for the Android Platform, just published in December 2011 (disclaimer: I'm the author of this book).
SharedPreferences are nothing but XML files in your phones /data/data/ folder,So any application or user with superuser privilages on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Still there is a way to protect it from everybody...
Please checkout this link.
Here you can store data in pref with encryption,the class is self explanatory and very easy to use.
https://github.com/sveinungkb/encrypted-userprefs
As said by others anyone can access it but in this case no one can read data inside it as it is encrypted. So its secure.For Utmost security my suggestion will be to generate the key used for encryption at run time rather than hard coding it. There are many ways to do that :)
Normally, no, they cannot be accessed by other apps, however, you should note that SharedPreferences are stored as XML files in the /data/data/ directory, which essentially means that any application with superuser privileges on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
By code No. But you can retrieve application file if you have super user privileged.
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
If you are super user(rooted devices) then you can pull all private files of the app.
Is sharedpreferences good place to put sensitive data, such as password or auth token?
No. It can be easily hacked. If you want to put any sensitive data in shared prefrence file you can encrypt the data and store. You can store your encryption key in NDK/server.
I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data which I dont want to be hacked by users for misuse, what is the best way to protect the database in mobile apps?
Also my application would use web service(contacting my own website) e.g. http:\www.mysite.com/services/xxx
My site will in turn return some data to the mobile app. If someone decompiles the java code(in apk), he will easily get access to the URL i am using for web service. How can i protect my data on website to be attacked by malicious users. If anyone gets to know the URL, he can simply type that URL in browser and get all data in json format which i dont want as that data can be quite sensitive. Even if I keep it encoded, then the user can get to know the encoding from the java code(which he gets after decompiling apk).
How to keep my DB safe from being misused?
If my application is to show the local places like restaurants, bars etc on mobile should i always fetch them from the website using web service or provide a local database with these details so that information can be fetched quickly. In this case , I can provide a UPDATE web servcie which will update the local database. But security of local DB is of great concern to me.
Can anyone please suggest where to keep the DB and how to safeguard it?
Rgds,
Sapan
Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).
So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.
You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.
Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)
This are the things you should think about and decide yourself how sensitive your data actually is.
As far as I understand you're going to:
Pack initial DB in your APK file (say with res/asset folder)
During first run explode DB file from res/asset to application data folder
Then from to time fetch data into DB from website/webservice
In this case there are basically 2 vulnerabilities (stored data I mean):
Initial DB image, since it's packed with APK (which is in real life just ZIP archive), so anyone can unpack and see what's packed in your DB
DB file stored in application data folder (usually /data/data/MY_APPLICATION_PACKAGE/databases). This folder is accessible on rooted device, so again your data can easily be screened
The only option to be secured is to encrypt your database content. Easiest way to do it to store sensitive data in BLOBs (in form of XML of JSON) and encrypt/decrypt those BLOBs after/before actual usage of certain records.
Myself personally did it in my app - and it works well.
check this links for protecting your apk file for decompile
How to make apk Secure. Protecting from Decompile
Protecting Android apk to prevent decompilation, network sniffing etc
decompiling DEX into Java sourcecode