Android SharedPreference security
Solution 1
SharedPreferences are nothing but XML files in your phones /data/data/ folder,So any application or user with superuser privilages on a rooted device can access your SharedPreferences, even if they were created with MODE_PRIV
Still there is a way to protect it from everybody... Please checkout this link. Here you can store data in pref with encryption,the class is self explanatory and very easy to use.
https://github.com/sveinungkb/encrypted-userprefs
As said by others anyone can access it but in this case no one can read data inside it as it is encrypted. So its secure.For Utmost security my suggestion will be to generate the key used for encryption at run time rather than hard coding it. There are many ways to do that :)
Solution 2
Normally, no, they cannot be accessed by other apps, however, you should note that SharedPreferences are stored as XML files in the /data/data/
directory, which essentially means that any application with superuser privileges on a rooted device can access your SharedPreference
s, even if they were created with MODE_PRIV
Solution 3
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
By code No. But you can retrieve application file if you have super user privileged.
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
If you are super user(rooted devices) then you can pull all private files of the app.
Is sharedpreferences good place to put sensitive data, such as password or auth token?
No. It can be easily hacked. If you want to put any sensitive data in shared prefrence file you can encrypt the data and store. You can store your encryption key in NDK/server.
Marek Sebera
Updated on July 30, 2020Comments
-
Marek Sebera almost 4 years
I wonder about shared preferences security.
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
Is sharedpreferences good place to put sensitive data, such as password or auth token?Thanks
-
Olayinka over 8 yearsthen how do you save the generated key?
-
Paulo Avelar over 8 years@Olayinka It'd be safer to encrypt that with yet another key and save it in a
SharedPref
. But then, what to do with the other key? Seriously though, best scenario would be sending the encrypted key and a device UID to a server using SSL to be stored there and retrieved as needed. That would require connectivity, but would allow you to blacklist a device and suddenly have all data trashed. Without constant internet connection, any try to encrypt data is not 100% safe. -
Raj Trivedi about 7 yearsI used the above solution...it works 9 out of 10 times..but I am getting error:1e06b065:Cipher functions:EVP_DecryptFinal_ex:BAD_DECRYPT" at times..Does anyone have an idea?
-
apex39 about 6 years@PauloAvelar Use Android KeyStore for long term storage and retrieval of cryptographic keys. Keys are not stored within an application, so they cannot be compromised. Provided library does not use it. It saves the secret in the code thus it is not safe.
-
John Sardinha over 4 yearsHow can it be easily hacked?
-
Cuong Vo over 4 yearsYes the question form @Jo
-
DADi590 over 2 years@JohnSardinha I believe you can just edit the XML file as soon as you have write access to it. Then after restarting the app, the modified file will be used.