Secured-Preference-Store

A SharedPreferences wrapper for Android that encrypts the content with 256 bit AES encryption. The Encryption key is securely stored in device's KeyStore. You can also use the EncryptionManager class to encrypt & decrypt data out of the box.

Setup

Maven

<dependency>
  <groupId>online.devliving</groupId>
  <artifactId>securedpreferencestore</artifactId>
  <version>latest_version</version>
  <type>pom</type>
</dependency>

Gradle

compile 'online.devliving:securedpreferencestore:latest_version'

Usage

Before using the store for the first time you must initialize it

//not mandatory, can be null too
String storeFileName = "securedStore";
//not mandatory, can be null too
String keyPrefix = "vss";
//it's better to provide one, and you need to provide the same key each time after the first time
byte[] seedKey = "SecuredSeedData".getBytes();
SecuredPreferenceStore.init(getApplicationContext(), storeFileName, keyPrefix, seedKey, new DefaultRecoveryHandler());

perhaps in onCreate of your Application class or launcher Activity.

You can use the secured preference store just like the way you use the default SharedPreferences

SecuredPreferenceStore prefStore = SecuredPreferenceStore.getSharedInstance(getApplicationContext());

String textShort = prefStore.getString(TEXT_1, null);
String textLong = prefStore.getString(TEXT_2, null);
int numberInt = prefStore.getInt(NUMBER_1, 0);

prefStore.edit().putString(TEXT_1, text1.length() > 0 ? text1.getText().toString() : null).apply();
prefStore.edit().putString(TEXT_2, text2.length() > 0 ? text2.getText().toString() : null).apply();
prefStore.edit().putInt(NUMBER_1, number1.length() > 0 ? Integer.parseInt(number1.getText().toString().trim()) : 0).commit();

You can access the underlying encryption manager to encrypt/decrypt data:

EncryptionManager encryptionManager = SecuredPreferenceStore.getSharedInstance().getEncryptionManager();

You can also use a standalone EncryptionManager to encrypt/decrypt data on your own:

SharedPreferences preferences = getSharedPreferences("backingStore", MODE_PRIVATE);
//not mandatory, can be null too
String keyAliasPrefix = "kp";
//not mandatory, can be null too
byte[] bitShiftKey = "bitShiftBits".getBytes();
EncryptionManager encryptionManager = new EncryptionManager(getApplicationContext(), preferences,
    keyAliasPrefix, bitShiftKey, new SecuredPreferenceStore.KeyStoreRecoveryNotifier() {
	@Override
	public boolean onRecoveryRequired(Exception e, KeyStore keyStore, List<String> keyAliases) {
	    return false;
	}
});
EncryptionManager.EncryptedData encryptedData = encryptionManager.encrypt(bytesToEncrypt);
byte[] decryptedData = encryptionManager.decrypt(encryptedData);

Sample file content

A sample secured preference file will look like:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="11CD15241CB4D6F953FA27C76F72C10920C5FADF14FF2824104FA5D67D25B43C">ZMnr87IlDKg81hKw2SQ6Lw==]dhP/ymX7CMSaCkP6jQvNig==</string>
    <string name="C8D076EFD8542A5F02F86B176F667B42BFB9B1472E974E6AF31EB27CEA5689D4">JQ6Y4TQ/Y3iYw7KtatkqAg==]P+gpavV0MXiy1Qg0UHlBMg==</string>
    <string name="F2AA713F406544A3E9ABA20A32364FA29613F01C867B3D922A85DF4FA54FA13D">jMH1Wjnk0vehHOogT27HRA==]e8UHX1ihYjtP6Cv8dWdHLBptLwowt6IojKYa+1jkeH4=</string>
    <string name="C06C6027E72B7CE947885F6ADE3A73E338881197DBE02D8B7B7248F629BE26DA">EAGwO8u2ZPdxwdpAwPlu6A==]797VOGtpzDBO1ZU3m+Sb1A==</string>
    <string name="33188AFFEC74B412765C3C86859DE4620B5427C774D92F9026D95A7A8AAE1F96">s0b5h8XNnerci5AtallCQziSbqpm+ndjIsAQQadSxM+xzw7865sE3P+hbxGmMAQQj0kK35/C//eA
MXuQ0N/F+oapBiDIKdRt2GJB3wJ+eshuh6TcEv+J8NQhqn1eO2fdao353XthHpRomIeGEWLvB4Yd
7G5YYIajLWOGWzQVsMTg1eqdcJ7+BAMXdOdWhjTTo91NvhvykgLMC03FsePOZ/X8ej4vByH1i0en
hJCiChk90AQ9FhSkaF/Oum9KoWqg7NU0PGurK755VZflXfyn1vZ8hhTulW7BrA2o9HvT9tbju+bk
4yJ5lMxgS6o4b+0tqo+H4TPOUiZPgehTwsrzJg==
    </string>
    <string name="9DCB904DFDA83286B41A329A7D8648B0BFF73C63E844C88800B2AA5119204845">XPuUd1t97pnwsOzzHY3OCA==]xqXJrEfcgDhYo2K4TTAvY9IQwP/tGctd4Fa1JT/1sB8=</string>
</map>

NOTICE

The keys stored in the KeyStore aren't encrypted at rest to avoid the issue where they get deleted when the device's lock screen protection changes. So if the device doesn't have a hardware backed key storage then the keys might be at a vulnerable state. You can read more about it here.

Recovery

Keys get deleted/locked in API levels lower than 21 and sometimes on later versions of the API on some devices when the user changes the device's security (screen lock protection). This phenomena is due to few issues in the Keystore implementation i.e 61989, 177459. Until those issues are fixed we need a way to recover from that scenario, otherwise the app itself might become unusable. To enable recovery you can add a RecoveryHandler to SecuredPreferenceStore before calling getSharedInstance for the first time.

SecuredPreferenceStore.setRecoveryHandler(new RecoveryHandler() {
            @Override
            protected void recover(Exception e, KeyStore keyStore, List<String> keyAliases, SharedPreferences preferences) {
                //Your recovery code goes here
            }
        });

A default recovery handler called DefaultRecoveryHandler is included in the library which deletes the keys and data, giving the library a chance to start over.

License

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Copyright 2017 Mehedi Hasan Khan